rspec/rules/S3649/csharp/how-to-fix-it/dapper.adoc

=== How to fix it in Dapper

include::../../common/fix/code-rationale.adoc[]

[cols="a"]
|===
h| Non-compliant code example
|
[source,csharp]
----
public class ExampleController : Controller
{
    private readonly string ConnectionString;

    public IActionResult Authenticate(string user, string pass)
    {
        using (var connection = new SqlConnection(ConnectionString))
        {
            var query = "SELECT * FROM users WHERE user = '" + use + "' AND pass = '" + pass + "'";
            
            var result = connection.QueryFirst<User>(query); // Noncompliant
            if (result == null) {
                Unauthorized();
            }
        }
        return Ok();
    }
}
----
h| Compliant solution
|
[source,csharp]
----
public class ExampleController : Controller
{
    private readonly string ConnectionString;

    public IActionResult Authenticate(string user, string pass)
    {
        using (var connection = new SqlConnection(ConnectionString))
        {
            var query      = "SELECT * FROM users WHERE user = @UserName AND password = @Password";
            var parameters = new { UserName = user, Password = pass };
            
            var result = connection.QueryFirst<User>(query, parameters);
            if (result == null) {
                Unauthorized();
            }
        }
        return Ok();
    }
}
----
|===

=== How does this work?

include::../../common/fix/prepared-statements.adoc[]
Modify Rule S3649: Education Framework (APPSEC-46 & APPSEC-47) (#1109) 2022-07-27 14:46:13 +02:00			`=== How to fix it in Dapper`

			`include::../../common/fix/code-rationale.adoc[]`

			`[cols="a"]`
			`\|===`
			`h\| Non-compliant code example`
			`\|`
			`[source,csharp]`
			`----`
			`public class ExampleController : Controller`
			`{`
			`private readonly string ConnectionString;`

			`public IActionResult Authenticate(string user, string pass)`
			`{`
			`using (var connection = new SqlConnection(ConnectionString))`
			`{`
			`var query = "SELECT * FROM users WHERE user = '" + use + "' AND pass = '" + pass + "'";`

			`var result = connection.QueryFirst<User>(query); // Noncompliant`
			`if (result == null) {`
			`Unauthorized();`
			`}`
			`}`
			`return Ok();`
			`}`
			`}`
			`----`
			`h\| Compliant solution`
			`\|`
			`[source,csharp]`
			`----`
			`public class ExampleController : Controller`
			`{`
			`private readonly string ConnectionString;`

			`public IActionResult Authenticate(string user, string pass)`
			`{`
			`using (var connection = new SqlConnection(ConnectionString))`
			`{`
			`var query = "SELECT * FROM users WHERE user = @UserName AND password = @Password";`
			`var parameters = new { UserName = user, Password = pass };`

			`var result = connection.QueryFirst<User>(query, parameters);`
			`if (result == null) {`
			`Unauthorized();`
			`}`
			`}`
			`return Ok();`
			`}`
			`}`
			`----`
			`\|===`

			`=== How does this work?`

			`include::../../common/fix/prepared-statements.adoc[]`