How Can I Prevent SQL Injection In My Functions? [duplicate]

This question already has answers here: What is a NullReferenceException, and how do I fix it? (26 answers) What are good ways to prevent SQL injection? [duplicate] (4 answers) Closed 6 years ago.

Im doing a program who can add and search for persons from a database. all the functions works right now but i want to prevent SQL injections. any ideas? Thankful for help!

This is the search function:

public static void SearchAll() //Söka fram alla deltagare och visa det i rutan på skärmen. { Form1.result = ""; connectionString = @"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\Carlo\Desktop\Projekt\Examensarbete 2018\AdminPanel\AdminPanel\employees.mdf;Integrated Security=True"; sql = "SELECT * FROM [employee]"; cnn = new SqlConnection(connectionString); cnn.Open(); cmd = new SqlCommand(sql, cnn); reader = cmd.ExecuteReader(); while (reader.Read()) { Form1.result += "Email: " + reader.GetValue(1) + Environment.NewLine; Form1.result += "First name: " + reader.GetValue(2) + Environment.NewLine; Form1.result += "Last name: " + reader.GetValue(3) + Environment.NewLine; Form1.result += "Address: " + reader.GetValue(4) + Environment.NewLine; Form1.result += "Phonenumber: " + reader.GetValue(5) + Environment.NewLine; Form1.result += "Jobtitle: " + reader.GetValue(7) + Environment.NewLine; Form1.result += "Salary: " + reader.GetValue(6) + Environment.NewLine + Environment.NewLine; } }

This is the add function:

public static void Add(string AddEmail, string AddFistName, string AddLastName, string AddAddress, string AddPhonenumber, string AddJobTitle, string AddSalary, string checkboxChecker) //Lägg til en deltagare funktionen. { connectionString = @"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\Carlo\Desktop\Projekt\Examensarbete 2018\AdminPanel\AdminPanel\employees.mdf;Integrated Security=True"; using(var conn = new SqlConnection(connectionString)) { var cmd = new SqlCommand("insert into Employee (Email, FirstName, LastName, Address, Phonenumber, Salary, JobTitle, GDPR,StartDate) VALUES ('" + AddEmail + "','" + AddFistName + "','" + AddLastName + "','" + AddAddress + "','" + AddPhonenumber + "', '" + AddJobTitle + "', '" + AddSalary + "', '" + checkboxChecker + "', GETDATE())", conn); conn.Open(); cmd.ExecuteNonQuery(); } }

I get System.NullReferenceException when im trying this. i have tryied to fix it but i cant find the problem the problem says to be with the "email".

public static void LoginChecker(string email, string Password) //Funktionen som kollar ifall man får logga in eller inte. { Form1.result = ""; failedCounter = 3; connectionString = @"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\Carlo\Desktop\Projekt\Examensarbete 2018\AdminPanel\AdminPanel\employees.mdf;Integrated Security=True"; sql = "SELECT * FROM Login WHERE UserName = @email AND Password = @password "; cmd.Parameters.AddWithValue("@email", email); cmd.Parameters.AddWithValue("@password", Password); //the problem says to be here!!!!!! cnn = new SqlConnection(connectionString); cnn.Open(); cmd = new SqlCommand(sql, cnn); reader = cmd.ExecuteReader(); if (reader.Read() == true) //Om det finns ett inlogg med rätt email och lösenord så kommer man in. { Form1.Log = "Successful"; } else //Om det inte finns ett inlogg med det som skrivits in så kommer man inte in. { Form1.Log = "Failed"; } }