SQL Injection question on below Implementation
keerthirajap opened this issue · comments
Question
Will below implementations cause SQL Injection issues. Can you please advice on using inline queries and passing parameters "SELECT * FROM Beer WHERE type = @type".
Are both implementations are safe to use?
Steps to reproduce
Implementation 1
public interface IBeerRepository
{
[Sql("SELECT * FROM Beer WHERE type = @type")]
IList<Beer> GetBeerByType(string type);
}
Implementation 2
IList<Beer> beer = Database.Connection().QuerySql<Beer>(
"SELECT * FROM Beer WHERE Name = @Name",
new { Name = "IPA" });
- Dotnet version: [netcore2,]
- Database: [SQL Server]
- Library version: [6.2.3]
Insight will create parameters for anything that you `@param`, regardless of whether you use an interface or directly use the connections.
…________________________________
From: keerthiraja1988 <notifications@github.com>
Sent: Thursday, March 14, 2019 6:09 AM
To: jonwagner/Insight.Database
Cc: Subscribed
Subject: [jonwagner/Insight.Database] SQL Injection question on below Implementation (#392)
Question
Will below implementations cause SQL Injection issues. Can you please advice on using inline queries and passing parameters "SELECT * FROM Beer WHERE type = @type<https://github.com/type>".
Are both implementations are safe to use?
Steps to reproduce
Implementation 1
public interface IBeerRepository
{
[Sql("SELECT * FROM Beer WHERE type = @type")]
IList<Beer> GetBeerByType(string type);
}
Implementation 2
IList<Beer> beer = Database.Connection().QuerySql<Beer>(
"SELECT * FROM Beer WHERE Name = @name",
new { Name = "IPA" });
* Dotnet version: [netcore2,]
* Database: [SQL Server]
* Library version: [6.2.3]
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub<#392>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ABk3dBf7OThSicAeza1rao0IdnHnIv7fks5vWh_XgaJpZM4bzwWH>.