Am I protected against SQL injections?

Question

I have been attacked on my last few questions here for writing code that is open to injections. I am looking for honest help to make sure I am finally doing this the safest and correct way. Please give me any tips to make this as secure as possible.

using (SqlConnection conn = new SqlConnection(""))
        {
            try
            {
                SqlCommand cmd = new SqlCommand(@"INSERT dbo.Table (FullName, Category, Street, City, State, Zip, PhoneDay, PhoneEven, Email, Employer, Description, UserName, 
                                                  UserStreet, UserCity, UserState, UserZip, UserPhoneDay, UserPhoneEven, UserEmail, SubmitDate) 
                                                  VALUES (@f1, @f2, @f3, @f4, @f5, @f6, @f7, @f8, @f9, @f10, @f11, @f12, @f13, @f14, @f15, @f16, @f17, @f18, @f19, @f20)", conn);
                conn.Open();
                cmd.Parameters.Add("@f1", SqlDbType.NVarChar, 100).Value = NameTxtBox.Text;
                cmd.Parameters.Add("@f2", SqlDbType.NVarChar, 100).Value = HeroicList.SelectedValue;
                cmd.Parameters.Add("@f3", SqlDbType.NVarChar, 100).Value = StreetTxtBox.Text;
                cmd.Parameters.Add("@f4", SqlDbType.NVarChar, 100).Value = CityTxtBox.Text;
                cmd.Parameters.Add("@f5", SqlDbType.NVarChar, 100).Value = StateTxtBox.Text;
                cmd.Parameters.Add("@f6", SqlDbType.NVarChar, 100).Value = ZipTxtBox.Text;
                cmd.Parameters.Add("@f7", SqlDbType.NVarChar, 100).Value = PhoneDayTxtBox.Text;
                cmd.Parameters.Add("@f8", SqlDbType.NVarChar, 100).Value = PhoneEvenTxtBox.Text;
                cmd.Parameters.Add("@f9", SqlDbType.NVarChar, 100).Value = EmailTxtBox.Text;
                cmd.Parameters.Add("@f10", SqlDbType.NVarChar, 100).Value = EmpTxtBox.Text;
                cmd.Parameters.Add("@f11", SqlDbType.NVarChar, 100).Value = WhyTxtBox.Text;
                cmd.Parameters.Add("@f12", SqlDbType.NVarChar, 100).Value = UserNameTxtBox.Text;
                cmd.Parameters.Add("@f13", SqlDbType.NVarChar, 100).Value = UserStreetTxtBox.Text;
                cmd.Parameters.Add("@f14", SqlDbType.NVarChar, 100).Value = UserCityTxtBox.Text;
                cmd.Parameters.Add("@f15", SqlDbType.NVarChar, 100).Value = UserStateTxtBox.Text;
                cmd.Parameters.Add("@f16", SqlDbType.NVarChar, 100).Value = UserZipTxtBox.Text;
                cmd.Parameters.Add("@f17", SqlDbType.NVarChar, 100).Value = UserPhoneDayTxtBox.Text;
                cmd.Parameters.Add("@f18", SqlDbType.NVarChar, 100).Value = UserPhoneEvenTxtBox.Text;
                cmd.Parameters.Add("@f19", SqlDbType.NVarChar, 100).Value = UserEmailTxtBox.Text;
                cmd.Parameters.Add("@f20", SqlDbType.DateTime).Value = DateTime.Now.ToString();
                cmd.ExecuteNonQuery();

                messageLabel.Text = "Your submission has been sent!";
                messageLabel.Visible = true;
            }
            catch (System.Data.SqlClient.SqlException ex)
            {
                messageLabel.Text = ex.Message;
                messageLabel.Visible = true;
            }
        }

Answer 1

You're protected with respect to insertion, yes. Using your code, it doesn't matter what the user puts in any of the textboxes (or what they put in any other sort of response they can cook up) nothing will happen beyond their data being stuck into fields of a new row of the given table, exactly as the strings were given to you.

The only way (that comes to mind) that someone could maliciously inject code would depend on how you use the data once it's in the database. If you go and, for example, take a field from this table and stick it in a LiteralControl without escaping anything and show it to other users then someone could stick in nasty JavaScript code that they run on another person's machine, for example. That would be a "cross site scripting" attack. To prevent that you need to make sure that any user-inputted data is sanitized before being displayed.