ado.net sqlserver 注入漏洞问题

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Data.SqlClient;

namespace login1
{
class Program
{
static void Main(string[] args)
{
Console.WriteLine("请输入用户名：");
string username = Console.ReadLine();
Console.WriteLine("请输入密码:");
string password = Console.ReadLine();//当输入1'or'1'='1时会形成注入漏洞

//连链数据库
using (SqlConnection conn = new SqlConnection
(@"data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=D:\My Documents\Visual Studio 2008\Projects\ado.net\ado.net\Database1.mdf;User Instance=true"))
{
conn.Open();
using(SqlCommand cmd=conn.CreateCommand())
{
//使用参数化的形式防止注入漏洞,不要使用字符并接（cmd.CommandText="select*from mytable1 where name='"+name+"',password='"+password+"'";）
//@un :类似于占位符
cmd.CommandText = "select count(*) from mytable2 where username=@un and password=@p";
cmd.Parameters.Add(new SqlParameter("un",username));
cmd.Parameters.Add(new SqlParameter("p", password));
//cmd.ExecuteScalar()以object的形式返回搜索结果的第一行第一列
int i = Convert.ToInt32(cmd.ExecuteScalar());
if (i > 0)
{
Console.WriteLine("登录成功！");
}
else
{
Console.WriteLine("用户名或密码错误！");
}
}

}
Console.ReadKey();

}
}
}