SQL Server parameterized SQL query - do I still need to escape quotes?

Question

Let's say I have the below code (stripping out useless things like the connection string, dataset creation, setting the command type etc).

string sql = "SELECT * FROM SomeTable WHERE Field=@ParamValue";

using (SqlConnection conn = new SqlConnection())
using (SqlCommand cmd = new SqlCommand(sql, conn))
{
    cmd.Parameters.Add(new SqlParameter("ParamValue", someValue));
    da.Fill(ds);
}

Is this use of a parameterized query sufficient to ensure security against SQL injection, or do I need to strip quotes from someValue first, before passing it in as a parameter?

No, you do not need to escape quotes. – Gordon Linoff Jul 24 '18 at 14:56 — Gordon Linoff, Jul 24 '18 at 14:56

score 4 · Accepted Answer · answered Jul 24 '18 at 15:11

No, you do not need to escape quotes. When you perform a SQLCommand using SQLParameters, the parameters are never inserted directly into the statement.

Instead, a system stored procedure called sp_executesql is called and given the SQL string and the array of parameters (the TDS protocol).

The parameters are isolated and treated as data. This mitigates SQL injection concerns and provides other benefits, such as strong-typing and improved performance.

SQL Server parameterized SQL query - do I still need to escape quotes?

1 Answers1