Your first example is parameterised and is not vulnerable to SQL injection.
Parameterised queries aren't simply replaced by the server with values (like you might do manually replacing @var
with value
). They are sent and received exactly as you sent it.. with @valueFromApplication
.
The server will parse the query.. and when it gets to a variable it will look up the value supplied. If that value is '' ; DROP DATABASE Foo --
.. then that becomes the value it uses. It doesn't parse that.. it just uses it as text/number/whatever type it is.
To add about Entity Framework, it internally uses Parameterised query so it is also SQL injection safe.