This works but would still be vulnerable to injections right?
Yeah, your code is terrifyingly vulnerable to SQL injections.
I know that I should be using parameterized queries to avoid SQL injections.
Oh absolutely yeah.
My question is, how can I do this when I’m passing the query as a string parameter?
You simply shouldn’t be passing the query as a string parameter. Instead you should be passing the query as string parameter containing placeholders and the values for those placeholders:
public static DataTable SqlDataTable(string sql, IDictionary<string, object> values)
{
using (SqlConnection conn = new SqlConnection(DatabaseConnectionString))
using (SqlCommand cmd = conn.CreateCommand())
{
conn.Open();
cmd.CommandText = sql;
foreach (KeyValuePair<string, object> item in values)
{
cmd.Parameters.AddWithValue("@" + item.Key, item.Value);
}
DataTable table = new DataTable();
using (var reader = cmd.ExecuteReader())
{
table.Load(reader);
return table;
}
}
}
and then use your function like this:
DataTable dt = SqlComm.SqlDataTable(
"SELECT * FROM Users WHERE UserName = @UserName AND Password = @Password",
new Dictionary<string, object>
{
{ "UserName", login.Text },
{ "Password", password.Text },
}
);
if (dt.Rows.Count > 0)
{
// do something if the query returns rows
}