Dec 30, 2013
The CreateCommand method you refer to is a private helper which cannot be called directly. It accepts a parameterized SQL statement and parameters which are used to setup parameterized queries. There is no vulnerability.
All SQL in Spark consists of parameterized queries (also called prepared statements) which is the most important way for .NET developers to prevent SQL Injection.
However, parameterizing your queries is not the only tool available in our toolbox. In general it is good practice to have additional safeguards, by using whitelists, blacklists, regular expressions, etc -- essentially all user entries are checked and validated before they get sent down to be used as parameters or to setup SQL.
Hope this helps.