58 lines
1.4 KiB
Plaintext
58 lines
1.4 KiB
Plaintext
=== How to fix it in Dapper
|
|
|
|
include::../../common/fix/code-rationale.adoc[]
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,csharp,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
public class ExampleController : Controller
|
|
{
|
|
private readonly string ConnectionString;
|
|
|
|
public IActionResult Authenticate(string user, string pass)
|
|
{
|
|
using (var connection = new SqlConnection(ConnectionString))
|
|
{
|
|
var query = "SELECT * FROM users WHERE user = '" + use + "' AND pass = '" + pass + "'";
|
|
|
|
var result = connection.QueryFirst<User>(query);
|
|
if (result == null) {
|
|
Unauthorized();
|
|
}
|
|
}
|
|
return Ok();
|
|
}
|
|
}
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,csharp,diff-id=1,diff-type=compliant]
|
|
----
|
|
public class ExampleController : Controller
|
|
{
|
|
private readonly string ConnectionString;
|
|
|
|
public IActionResult Authenticate(string user, string pass)
|
|
{
|
|
using (var connection = new SqlConnection(ConnectionString))
|
|
{
|
|
var query = "SELECT * FROM users WHERE user = @UserName AND password = @Password";
|
|
var parameters = new { UserName = user, Password = pass };
|
|
|
|
var result = connection.QueryFirst<User>(query, parameters);
|
|
if (result == null) {
|
|
Unauthorized();
|
|
}
|
|
}
|
|
return Ok();
|
|
}
|
|
}
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
include::../../common/fix/prepared-statements.adoc[]
|
|
|