C# 防SQL注入

public int ChenkUserNameOrPwd(string userName,string userPwd)
{
int i = 0;
if (!string.IsNullOrEmpty(userName) && !string.IsNullOrEmpty(userPwd))
{

string sql = "select count(1) from users where UserName = @userName and PassWd = @userPwd and Status = 'Active'";
DbHelperSQL.SqlDataBase();
using (SqlConnection conn = new SqlConnection(DbHelperSQL.connectionString))
{
conn.Open();
using (SqlCommand cmd = new SqlCommand(sql, conn))
{

cmd.Parameters.AddWithValue("@userName", userName);
cmd.Parameters.AddWithValue("@userPwd", userPwd);
try
{
i = Convert.ToInt32(cmd.ExecuteScalar());
conn.Close();
}
catch (Exception)
{

i=0;
}
}
}
}
return i;
}