Parameters are not meant to validate your input.
Your code should validate your input before it reaches the stage where you want to use the input in an SQL query.
SQL Insertion attack can occur if you dynamically create your SQL query using unvalidated input from the user.
Say you create your SQL query as such:
- SELECT * FROM myTable WHERE theid = '" + myTextBox.Text + "'"
This is compiled by the database into a command which it executes.
So, under normal use the compiled command would be something like:
- SELECT * FROM myTable WHERE theid = '12345'
But, if someone were trying to do something malicious to your application they may enter their own SQL command instead of the expected input. This would be compiled along with your code and they would be able to execute what ever they wanted to....all they have to do is end your SQL query, add their own SQL query and then comment out the rest of your query.
So, in order to prevent this, you should use parameters.
These allow you to provide user input as literals. It indicates that these values should not be compiled as SQL but used as harmless Strings etc instead.
The parameters are not meant to validate your input.
You should still check to make sure that the values you're updating with will fit in the database and match the type that is expected etc etc....data validation. This will not only avoid SQL Insertion Attacks but will also avoid other problems that may result from leaving these things unchecked (liked Buffer Over Flow Attacks etc etc).
Check out this article for more information about
SQL Injection Attacks
-Frinny