Why are my parameterized queries not working in ASP.NET?

Question

I have code that looks like the following in a class that extends MembershipProvider (code below has been anonymized and simplified slightly):

SqlConnection conn = new SqlConnection("Integrated Security=;Persist Security Info=False;User ID=WEBUSER;Password=WEBPASSWORD;Initial Catalog=DATABASENAME;Data Source=SERVERNAME");
SqlCommand cmd = new SqlCommand("SELECT Password FROM Membership " +
    " WHERE Username = ?", conn);

cmd.Parameters.Add("@Username", System.Data.SqlDbType.NVarChar, 25).Value = "TestUser";

SqlDataReader reader = null;

try
{
    conn.Open();
    reader = cmd.ExecuteReader(); // Execution breaks here.

The code breaks when it gets to cmd.ExecuteReader(); The exception being thrown is "System.Data.SqlClient.SqlException: Incorrect syntax near '?'."

It seems to be behaving as if the "?" in the command text isn't being properly interpreted as a parameter. I can't figure out what I'm doing wrong. I admit my ASP.NET is a little rusty, but I've written code like this dozens of times before, and everything I wrote above looks like it matches the usage patterns I'm seeing in tutorials and in the MSDN examples. Can anyone tell me what I'm doing wrong?

Target .NET version is 4.0. ASP.NET is being run on my local machine inside the debugging environment in Visual Web Developer Express 2010. The database is SQL Server 2005.

Answer 1

The '?' syntax, as far as I know, is ODBC syntax. Here, you're using a direct connection to Sql. Use '@Username' instead.

Answer 2

Change

WHERE Username = ?

to

WHERE Username = @Username