rspec/rules/S3649/csharp/how-to-fix-it/dapper.adoc

== How to fix it in Dapper

=== Code examples

include::../../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,csharp,diff-id=1,diff-type=noncompliant]
----
public class ExampleController : Controller
{
    private readonly string ConnectionString;

    public IActionResult Authenticate(string user, string pass)
    {
        using (var connection = new SqlConnection(ConnectionString))
        {
            var query = "SELECT * FROM users WHERE user = '" + use + "' AND pass = '" + pass + "'";
            
            var result = connection.QueryFirst<User>(query);
            if (result == null) {
                Unauthorized();
            }
        }
        return Ok();
    }
}
----

==== Compliant solution

[source,csharp,diff-id=1,diff-type=compliant]
----
public class ExampleController : Controller
{
    private readonly string ConnectionString;

    public IActionResult Authenticate(string user, string pass)
    {
        using (var connection = new SqlConnection(ConnectionString))
        {
            var query      = "SELECT * FROM users WHERE user = @UserName AND password = @Password";
            var parameters = new { UserName = user, Password = pass };
            
            var result = connection.QueryFirst<User>(query, parameters);
            if (result == null) {
                Unauthorized();
            }
        }
        return Ok();
    }
}
----

=== How does this work?

include::../../common/fix/prepared-statements.adoc[]