AppStd/EnvelopeGenerator
8
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Refactor CreateEnvelopeAsync to use string formatting

Browse Source 
Updated the `CreateEnvelopeAsync` method in the `EnvelopeExecutor` class to handle SQL parameters by directly formatting the SQL string with `string.Format`, replacing the previous parameterized query approach. This change enhances readability but may introduce potential SQL injection risks if not managed carefully.
This commit is contained in:
Developer 02 2025-05-07 13:11:52 +02:00
parent 06d25b6f5b
commit 38d05850e3
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
EnvelopeGenerator.Infrastructure/Executor/EnvelopeExecutor.cs
View File

@ -23,9 +23,9 @@ public class EnvelopeExecutor : SQLExecutor, IEnvelopeExecutor
{
using var connection = new SqlConnection(Params.ConnectionString);
var sql = Provider.GetRequiredService<EnvelopeCreateReadSQL>();
var formattedSql = string.Format(sql.Raw, userId.ToSqlParam(), title.ToSqlParam(), tfaEnabled.ToSqlParam(), message.ToSqlParam());
await connection.OpenAsync(cancellation);
var parameters = EnvelopeCreateReadSQL.CreateParmas(userId, title, message, tfaEnabled);
var envelopes = await connection.QueryAsync<Envelope>(sql.Raw, parameters);
var envelopes = await connection.QueryAsync<Envelope>(formattedSql);
var envelope = envelopes.FirstOrDefault()
?? throw new InvalidOperationException($"Envelope creation failed. Parameters:" +
$"userId={userId}, title='{title}', message='{message}', tfaEnabled={tfaEnabled}."); ;