C# - ODBC Parameters acting up

Question

So, I am trying to change the design of my program in order to prevent SQL injection, seeing how old SQL strings were made by concatenating TextBoxes with a preset string.

I am using the ODBC driver over a DB2 database.

Thing is, it works in some cases, in others it just doesn't.

Let me give you an example:

Old code:

App.Comando.CommandText = "SELECT NOMUSU, CodEmp FROM DB.Users WHERE CODUSU = '" + txt_usuario.Text + "' AND PASUSU = '" + txt_password.Password + "'";

New code:

App.Comando.CommandText =
            "SELECT NOMUSU, CodEmp FROM DB.Users WHERE CODUSU = ? AND PASUSU = ?";
        App.Comando.Parameters.AddWithValue("@codusu", txt_usuario.Text);
        App.Comando.Parameters.AddWithValue("@pass", txt_password.Password);

This one works perfectly.

However, this one, doesn't. Doesn't throw any error, just comes back seemingly empty.

Old code:

App.Comando.CommandText = "SELECT CODMAR FROM DB.Marcas AS MARCAS WHERE DESMAR = '" + marca + "'";

New code:

App.Comando.CommandText = "SELECT CODMAR FROM DB.Marcas AS MARCAS WHERE DESMAR = ?";
App.Comando.Parameters.AddWithValue("@marca", marca);

Just in case you need it,

string marca = txt_marca.Text.Trim().ToUpper();

In this case, the new code doesn't work, the old one did. I've been pulling my hair out, it just makes no sense.

Thanks for your time!

Answer 1

have your set the type of command?

App.Comando.CommandText = "SELECT CODMAR FROM DB.Marcas AS MARCAS WHERE DESMAR = ?";
App.Comando.Parameters.AddWithValue("?marca", marca);