Does using SQL parameter binding mean text can be directly entered from input?

Question

As the title says, if I'm using SQL parameters, ie

SQLCommand cmd = new SQLCommand("select * from users where username = @user and password = @pass limit 1", Cxn);

cmd.Parameters.Add("@user", SqlDbType.VarChar):
cmd.Parameters.Add("@pass", SqlDbType.VarChar):

Can I just enter the parameters value as the direct entry from the input?

cmd.Parameters["@user"].value = txtBxUserName.text;
cmd.Parameters["@pass"].value = txtBxPassword.text;

That's what seems to be suggested whenver you look for anything to do with escaping string etc, the end answer is to just let the parameter binding do it. But will that protect against injection attacks and the like? Or do you still need to perform some server side validation?

Coming from a heavily orientated PHP background it goes against every fibre of my body to directly enter text into a query :p

Answer 1

Yes, this is the safeties way to store data in database using .net. SQL parameter provide type checking and validation. Because they are treated as a literal value, not as an executable code, this prevents from sql injection.

Answer 2

The example you've given is safe in terms of SQL Injection. The only potential SQL Injection problem with parameterized queries is if they address a proc which itself uses dynamic SQL.

Of course, you still have to think about XSS exploits whether you're parameterizing or not.

Answer 3

Using parameters will escape out all special characters and prevent injection attacks. This is why parameters are the recommended method.