I am aware that for SqlCommand I have to use SqlParameter when passing parameters to the query, to avoid SQL injection. But what about the DataRow? For example:
row.UserComment = tbUserComment.Text;
Here "row" is a System.Data.DataRow that will be saved to the DB with an SqlDataAdapter. And "tbUserComment.Text" is an ASP.NET TextBox that is filled by the user. Can this be used for SQL injection? If yes, then what can I do to prevent it?
See in this documentation: https://learn.microsoft.com/en-us/dotnet/api/system.data.sqlclient.sqldataadapter?view=dotnet-plat-ext-6.0
The InsertCommand, DeleteCommand, and UpdateCommand are generic templates that are automatically filled with individual values from every modified row through the parameters mechanism.
So this will automatically parameterize the DataRow meaning there should be no possibility of SQL injection if this pattern is adhered to.