You use Microsoft Visual Studio 2010 and .NET Framework 4.0 to create an application.
The application connects to a Microsoft SQL Server 2008 database. The application contains the following code segment.
string SQL = string.Format(SELECT * FROM Customer WHERE CompanyName LIKE %{0}%, companyName);
var cmd = new SqlCommand(SQL, con);
You need to reduce the vulnerability to SQL injection attacks. Which code segment should you use?
A.
string SQL = �SELECT * FROM Customer Where � + �CompanyName LIKE @companyName�;
var cmd = new SqlCommand(SQL,con);
cmd.Parameters.AddWithValue(�@companyName�, string.Format(�%{0}%�, companyName));
B.
string SQL = �SELECT * FROM Customer Where � + �CompanyName LIKE @companyName�;
var cmd = new SqlCommand(SQL,con);
var param = new SqlParameter (�@companyName�, string.Format(�%{0}%�, companyName));
C.
string SQL = string.Format(�SELECT * FROM � + � Customer Where CompanyName LIKE {0}�,
new SqlCommand(�@companyName�, string.format(�%{0}%�, companyName)));
var cmd = new SqlCommand(SQL, con);
D.
string SQL = �SELECT� * FROM Customer @companyName;
var cmd = new sqlcommand(SQL,con);
cmd.Parameters.AddWithValue(�companyName�, string.format(�where companyName LIKE �%{0}%��, companyName));
Explanation:
SqlParameterCollection.AddWithValue Method
(http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlparametercollection.addwithvalue.aspx)