确认正确使用代码以防止SQL注入以及正确使用using语句

else if(updated_password == confirm_password)
{
    old_user = textBox1.Text;
    old_pass = textBox2.Text;
    confirm_password = textBox4.Text;

    using (var old_connection = new MySqlConnection("server=localhost;user id=" + old_user + ";database=DB;password=" + old_pass))
    {
      old_connection.Open();

      string sql = "ALTER USER @user @'localhost' IDENTIFIED BY @newPass";
      MySqlCommand old_cmd = new MySqlCommand(sql, old_connection);
      old_cmd.Parameters.AddWithValue("@user", old_user);
      old_cmd.Parameters.AddWithValue("@newPass", confirm_password);

      old_cmd.ExecuteNonQuery();

      MessageBox.Show("Password changed successfully.", "Info", MessageBoxButtons.OK, MessageBoxIcon.Information);
   }
}

有人可以告诉我是否通过正确使用.Parameters.Add ..整理出了恶意SQL注入,以及我是否正确使用了using语句?