63 lines
1.3 KiB
Plaintext
63 lines
1.3 KiB
Plaintext
== How to fix it in Entity Framework Core
|
|
|
|
=== Code examples
|
|
|
|
include::../../common/fix/code-rationale.adoc[]
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,csharp,diff-id=11,diff-type=noncompliant]
|
|
----
|
|
public class ExampleController : Controller
|
|
{
|
|
private readonly UserAccountContext Context;
|
|
|
|
public IActionResult Authenticate(string user, string pass)
|
|
{
|
|
var query = "SELECT * FROM users WHERE user = '" + user + "' AND pass = '" + pass + "'";
|
|
|
|
var queryResults = Context
|
|
.Database
|
|
.FromSqlRaw(query);
|
|
|
|
if (queryResults == 0)
|
|
{
|
|
return Unauthorized();
|
|
}
|
|
|
|
return Ok();
|
|
}
|
|
}
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,csharp,diff-id=11,diff-type=compliant]
|
|
----
|
|
public class ExampleController : Controller
|
|
{
|
|
private readonly UserAccountContext Context;
|
|
|
|
public IActionResult Authenticate(string user, string pass)
|
|
{
|
|
var query = "SELECT * FROM users WHERE user = {0} AND pass = {1}";
|
|
|
|
var queryResults = Context
|
|
.Database
|
|
.FromSqlRaw(query, user, pass);
|
|
|
|
if (queryResults == 0)
|
|
{
|
|
return Unauthorized();
|
|
}
|
|
|
|
return Ok();
|
|
}
|
|
}
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
include::../../common/fix/prepared-statements.adoc[]
|
|
|