I've learned how to parameterize my text boxes when we're talking about inserting data inside the database, now I'd like to implement the same technique while manually putting the Connection String for the SQL database. My code goes like this:
connectionString = "server=localhost;uid=" + usr.Text + ";pwd=" + pwd.Text;
And I think that it is quite vulnerable to SQL injections. Any suggestions?
It's not vulnerable to SQL injections since SQL isn't being used in this case. You can't access tables and records by specifying anything in the connection string, nor can you receive data just from specifying a connection string.
It is vulnerable to connection string property injection, as Nikola mentions in his answer. See also the question, " MS Access - prevent SQL injection in connection string ".
Depending on which provider you use, you can make use of one connection string builder classes provided in .NET framework.
http://msdn.microsoft.com/en-us/library/ms254947%28v=VS.100%29.aspx
There is no clear answer about any Connection String injection attacks. I can't see a way an attack can be performed by changing properties of a connection. However, Microsoft makes mention of such attack in link I posted above, but gives no detail in what such attack would do. At best (or worst) attacker would probably be able to change some properties of connection, maybe increase timeout and hope to DDoS your server that way.
As Mark said, no SQL injection vulnerability here. But just for readability, I'd go with:
connectionString = string.Format("server=localhost;uid={0};pwd={1}", usr.Text, pwd.Text);
But it's no safer and behaves the same.
