Is this code vulnerable to SQL Injection? How would I make it safe?

Question

I have a friend who I'm trying to help out on a project, I'm by no means an expert at all in penetrating testing, in fact it's something I'm really new in, but he's asked me to help identify and potential security issues with his program.

I'm not too sure but I have a feeling that in particular one segment of code is vulnerable to SQL injection, I was wondering if anyone could provide examples of how it may be vulnerable (if it is) and also any suggestions about how the input should be sanitised.

Here is a snippet of the code

nextwork:
        cDataBase *db = NewManagerDB();
        if( !db->QueryDirect( dbginfo,  "SELECT * FROM Account WHERE UserID = '%s'", szManagerID ) )
        {
                ErrDB(db);
                DelManagerDB(db);
                if( Retire == MAX_RETIRE )
                {
                        LOG("QueryDirect error MAX_RETIRE db QueryDirect failed");
                        SendManagerAuthenResult( MgrCode::SvrError );                        
                        return;
                }
                Retire++;
                goto nextwork;
        }

Thank you for any help!

Answer 1

How to sanitize (not sure 100% how it will be with your particular db class implementation):

        db->Parameters.AddWithValue("@userid", szManagerID);  
        if( !db->QueryDirect( dbginfo,  "SELECT * FROM Account WHERE UserID = @userid" ) )

Here is an example of SQL injection:

szManagerID = "' OR UserID LIKE '%";

The result query will be:

SELECT * FROM Account WHERE UserID = '' OR UserID LIKE '%'

So you could get account data of all users