[Good read] SQL injection is still a thing today?

If you are unsure if you should use ".ExecNonQuery2(..., ...)" you will find important hints here:

Another good read (http://www.sommarskog.se/dynamic_sql.html). The title is: The Curse and Blessings of Dynamic SQL. If you think you need to use dynamic SQL, think really, really hard about why (and 99.99999% of the time you should not). Technically, dynamic SQL should only be used by administrators/for administrators. User's and front end applications should never be exposed to nor be given access to dynamic SQL. Obligatory xkcd link (https://xkcd.com/327/).