From 38d05850e3116c06cf70d12e127584761396f4d3 Mon Sep 17 00:00:00 2001
From: Developer 02 <developer02@didaloghe.onmicrosoft.com>
Date: Wed, 7 May 2025 13:11:52 +0200
Subject: [PATCH] Refactor CreateEnvelopeAsync to use string formatting

Updated the `CreateEnvelopeAsync` method in the `EnvelopeExecutor` class to handle SQL parameters by directly formatting the SQL string with `string.Format`, replacing the previous parameterized query approach. This change enhances readability but may introduce potential SQL injection risks if not managed carefully.
---
 EnvelopeGenerator.Infrastructure/Executor/EnvelopeExecutor.cs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/EnvelopeGenerator.Infrastructure/Executor/EnvelopeExecutor.cs b/EnvelopeGenerator.Infrastructure/Executor/EnvelopeExecutor.cs
index 0933997c..945f1ac7 100644
--- a/EnvelopeGenerator.Infrastructure/Executor/EnvelopeExecutor.cs
+++ b/EnvelopeGenerator.Infrastructure/Executor/EnvelopeExecutor.cs
@@ -23,9 +23,9 @@ public class EnvelopeExecutor : SQLExecutor, IEnvelopeExecutor
     {
         using var connection = new SqlConnection(Params.ConnectionString);
         var sql = Provider.GetRequiredService<EnvelopeCreateReadSQL>();
+        var formattedSql = string.Format(sql.Raw, userId.ToSqlParam(), title.ToSqlParam(), tfaEnabled.ToSqlParam(), message.ToSqlParam());
         await connection.OpenAsync(cancellation);
-        var parameters = EnvelopeCreateReadSQL.CreateParmas(userId, title, message, tfaEnabled);
-        var envelopes = await connection.QueryAsync<Envelope>(sql.Raw, parameters);
+        var envelopes = await connection.QueryAsync<Envelope>(formattedSql);
         var envelope = envelopes.FirstOrDefault()
             ?? throw new InvalidOperationException($"Envelope creation failed. Parameters:" +
             $"userId={userId}, title='{title}', message='{message}', tfaEnabled={tfaEnabled}."); ;