rspec/rules/S2077/csharp/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

----
public void Foo(DbContext context, string query, string param)
{
    string sensitiveQuery = string.Concat(query, param); 
    context.Database.ExecuteSqlCommand(sensitiveQuery); // Sensitive
    context.Query<User>().FromSql(sensitiveQuery); // Sensitive

    context.Database.ExecuteSqlCommand($"SELECT * FROM mytable WHERE mycol={value}", param); // Sensitive, the FormattableString is evaluated and converted to RawSqlString
    string query = $"SELECT * FROM mytable WHERE mycol={param}";
    context.Database.ExecuteSqlCommand(query); // Sensitive, the FormattableString has already been evaluated, it won't be converted to a parametrized query.
}

public void Bar(SqlConnection connection, string param)
{
    SqlCommand command;
    string sensitiveQuery = string.Format("INSERT INTO Users (name) VALUES (\"{0}\")", param);
    command = new SqlCommand(sensitiveQuery); // Sensitive

    command.CommandText = sensitiveQuery; // Sensitive

    SqlDataAdapter adapter;
    adapter = new SqlDataAdapter(sensitiveQuery, connection); // Sensitive
}
----

== Compliant Solution

----
public void Foo(DbContext context, string query, string param)
{
    context.Database.ExecuteSqlCommand("SELECT * FROM mytable WHERE mycol=@p0", param); // Compliant, it's a parametrized safe query
}
----

include::../see.adoc[]

ifdef::rspecator-view[]
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::rspecator-view[]
move coveredLangauges and replacementRules into extra field 2021-02-16 17:52:17 +01:00			`include::../description.adoc[]`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00
			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`----`
			`public void Foo(DbContext context, string query, string param)`
			`{`
			`string sensitiveQuery = string.Concat(query, param);`
			`context.Database.ExecuteSqlCommand(sensitiveQuery); // Sensitive`
			`context.Query<User>().FromSql(sensitiveQuery); // Sensitive`

			`context.Database.ExecuteSqlCommand($"SELECT * FROM mytable WHERE mycol={value}", param); // Sensitive, the FormattableString is evaluated and converted to RawSqlString`
			`string query = $"SELECT * FROM mytable WHERE mycol={param}";`
			`context.Database.ExecuteSqlCommand(query); // Sensitive, the FormattableString has already been evaluated, it won't be converted to a parametrized query.`
			`}`

			`public void Bar(SqlConnection connection, string param)`
			`{`
			`SqlCommand command;`
			`string sensitiveQuery = string.Format("INSERT INTO Users (name) VALUES (\"{0}\")", param);`
			`command = new SqlCommand(sensitiveQuery); // Sensitive`

			`command.CommandText = sensitiveQuery; // Sensitive`

			`SqlDataAdapter adapter;`
			`adapter = new SqlDataAdapter(sensitiveQuery, connection); // Sensitive`
			`}`
			`----`

			`== Compliant Solution`

			`----`
			`public void Foo(DbContext context, string query, string param)`
			`{`
			`context.Database.ExecuteSqlCommand("SELECT * FROM mytable WHERE mycol=@p0", param); // Compliant, it's a parametrized safe query`
			`}`
			`----`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
			`ifdef::rspecator-view[]`
			`== Comments And Links`
			`(visible only on this page)`

			`include::comments-and-links.adoc[]`
			`endif::rspecator-view[]`