sql injection - Is my code hackable or secure enough? -

i wonder if app injectable in front end form, url or in other way.

frontend:

<form id="form1" runat="server">      <asp:hyperlink id="hyperlinkback" runat="server" navigateurl="~/default.aspx">go back</asp:hyperlink>       <h3>             service locations</h3>      <table >         <tr>                          <td><asp:label id="lblfiltervalue" text="filter value :" runat="server"></asp:label></td>             <td><asp:textbox id="txtfiltervalue" runat="server"></asp:textbox></td>                        <td>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;</td>             <td>                  <asp:label id="fieldlist" runat="server" text="filter :"></asp:label>             </td>             <td>                  <asp:dropdownlist id="drpfields"  runat="server"></asp:dropdownlist>             </td>                      </tr>                            </table>     <br />             <asp:button  id="btnreset" runat="server"  text="reset"           onclick="btnreset_click" />              <asp:button  id="btnsearch" runat="server"  text="search"           onclick="btnsearch_click" />   </form>  

codebehind:

public static datatable getlocationfilter(string sfie6ld, string svalue)     {        datatable dtdata = new datatable();      sqlconnection conn = new sqlconnection(configurationmanager.connectionstrings["locations"].connectionstring);     sqlcommand comm = new sqlcommand("usp_selectlocations", conn);     sqldataadapter da = new sqldataadapter(comm);      comm.commandtype = commandtype.storedprocedure;     comm.parameters.add(new sqlparameter("@svalue", svalue));      da.fill(dtdata);     return dtdata;     } 

sp:

alter procedure [dbo].[usp_selectlocations] @svalue varchar(250)  select *  locations title @svalue + '%' or division @svalue + '%' or locationtype @svalue + '%'