I am building an insert sql string at runtime and want to use parameter array coz Im afraid of sql injections.How do i do that?

Aldwin Enriquez
"Dont you ever give up!"

__________________
\"Dont you ever give up!\"

Can I use the ? operator here?

Aldwin Enriquez
"Dont you ever give up!"

Here is my sample code.It doesn't work in ADO.NET.
Any workaround for this?

SqlCommand cmd = new SqlCommand("Insert into EMP (EMPNAME,EMPPOSITION) VALUES(?,?)",con);

cmd.Parameters.Add("empName",SqlDbType.NVarChar,64 ).Value = "hello";
cmd.Parameters.Add("Position",SqlDbType.NVarChar,6 4).Value = "world";


Aldwin Enriquez
"Dont you ever give up!"

Guys,I saw the solution already.
I used @<columnname>" for the SqlCommand and "?" for the OleDbCommand object

Aldwin Enriquez
"Dont you ever give up!"