Sir, Thanks for reply i am little bit confuse between the parameterize store proceedure and the stored procs i am using with the help of sqlhelper class for example
The stored proc created sql server
CREATE PROC [dbo].[SP_GetProduct]
( @CATEGORY_ID numeric(18,0)
,@SUB_CATEGORY_ID numeric(18,0)
,@ITEM_NO nvarchar(150)
,@DESCRIPTION nvarchar(500)
,@PRODUCT_ID numeric(18,0)
)
AS
BEGIN
SELECT A.[PRODUCT_ID]
,A.[CATEGORY_ID]
,A.[SUB_CATEGORY_ID]
,A.[ITEM_NO]
,A.[DESCRIPTION]
,A.[METERIAL]
,A.[PRICE]
,A.[ITEM_WEIGHT]
,A.[GIFT_BOX_INCLUDED]
,A.[NOTES]
,A.[IMAGE_THUMB]
,A.[IMAGE]
,A.DIMENSION
,A.CAPACITY
,A.RULER_IMAGE_DISPLAY
,B.TITLE AS CATEGORY
,C.TITLE AS SUB_CATEGORY
FROM [TBLPRODUCT] AS A
INNER JOIN TBLCATEGORY AS B ON B.CATEGORY_ID=A.CATEGORY_ID
LEFT OUTER JOIN TBLSUBCATEGORY AS C ON C.SUBCATEGORY_ID=A.SUB_CATEGORY_ID
WHERE
(A.PRODUCT_ID=@PRODUCT_ID OR @PRODUCT_ID IS NULL)
AND (A.CATEGORY_ID=@CATEGORY_ID OR @CATEGORY_ID IS NULL)
AND (A.SUB_CATEGORY_ID=@SUB_CATEGORY_ID OR @SUB_CATEGORY_ID IS NULL)
AND (A.ITEM_NO=@ITEM_NO OR @ITEM_NO IS NULL)
AND (A.DESCRIPTION LIKE '%'+@DESCRIPTION+'%' OR @DESCRIPTION IS NULL)
ORDER BY A.[ITEM_NO] asc
END
And i am calling this stored proc from sql helper class
object[] objParam ={CATEGORY_ID,SUB_CATEGORY_ID,null,null,null};
DataSet oDs = SqlHelper.ExecuteDataset(ConnectionString, "SP_GetProduct", objParam);
so, Is this secure i mean it prevents the sql injection, because in my current project all i am using with sql helper.