using (SqlConnection conn = new SqlConnection("server=localhost;database=Tests;Trusted_Connection=Yes;")) { conn.Open(); string strQry = "INSERT INTO Clients VALUES(@username,@password)"; int intRecs; SqlCommand cmd = new SqlCommand(strQry, conn); cmd.CommandType = CommandType.Text; SqlParameter prm = new SqlParameter("@username", SqlDbType.VarChar, 50); prm.Direction = ParameterDirection.Input; prm.Value = "'; DELETE Hour;--"; cmd.Parameters.Add(prm); prm = new SqlParameter("@password", SqlDbType.VarChar, 50); prm.Direction = ParameterDirection.Input; prm.Value = "bar"; cmd.Parameters.Add(prm); intRecs = (int)cmd.ExecuteScalar(); }