---
title: Always Use Parameterized Queries
impact: CRITICAL
impactDescription: prevents SQL and NoSQL injection attacks
tags: injection, sql, nosql, database, parameterized, security, csharp
---

## Always Use Parameterized Queries

SQL injection is one of the top security vulnerabilities. Direct string concatenation allows attackers to execute arbitrary database commands, steal data, or destroy databases.

**Incorrect (string concatenation):**

```csharp
// SQL Injection vulnerability with ADO.NET
string userId = Request.QueryString["id"];
string query = "SELECT * FROM Users WHERE Id = '" + userId + "'";
SqlCommand cmd = new SqlCommand(query, connection);
var reader = cmd.ExecuteReader(); 

// Vulnerability with EF Core (FromSqlRaw)
var user = context.Users
    .FromSqlRaw($"SELECT * FROM Users WHERE Id = '{userId}'")
    .FirstOrDefault();
```

**Correct (parameterized queries):**

```csharp
// Parameterized query - ADO.NET
string userId = Request.QueryString["id"];
string query = "SELECT * FROM Users WHERE Id = @Id";
SqlCommand cmd = new SqlCommand(query, connection);
cmd.Parameters.AddWithValue("@Id", userId); // Safe
var reader = cmd.ExecuteReader();

// EF Core - Automatically parameterized
var user = context.Users
    .FirstOrDefault(u => u.Id == userId);

// EF Core - Interpolated SQL (Safe)
var user = context.Users
    .FromSqlInterpolated($"SELECT * FROM Users WHERE Id = {userId}")
    .FirstOrDefault();
```

**Tools:** Roslyn Analyzers (CA2100), SonarQube (S2077, S3649), Security Code Scan