From 5f8e8deb5b27d288e70c2e9c00037a7bb8cb8716 Mon Sep 17 00:00:00 2001
From: Developer 02 <developer02@didaloghe.onmicrosoft.com>
Date: Wed, 7 May 2025 15:03:27 +0200
Subject: [PATCH] Refactor SQL parameter handling in EnvelopeReceiverController

Updated the SQL command execution in `EnvelopeReceiverController.cs` to use a formatted SQL string with `string.Format` instead of parameterized commands. This change simplifies command preparation but may increase the risk of SQL injection if input values are not properly sanitized.
---
 .../Controllers/EnvelopeReceiverController.cs | 25 ++++++++-----------
 1 file changed, 10 insertions(+), 15 deletions(-)

diff --git a/EnvelopeGenerator.GeneratorAPI/Controllers/EnvelopeReceiverController.cs b/EnvelopeGenerator.GeneratorAPI/Controllers/EnvelopeReceiverController.cs
index 86411eea..f16c9030 100644
--- a/EnvelopeGenerator.GeneratorAPI/Controllers/EnvelopeReceiverController.cs
+++ b/EnvelopeGenerator.GeneratorAPI/Controllers/EnvelopeReceiverController.cs
@@ -228,18 +228,17 @@ public class EnvelopeReceiverController : ControllerBase
             #endregion
 
             #region Add document element
+            // @DOC_ID, @RECEIVER_ID, @POSITION_X, @POSITION_Y, @PAGE
             string sql = @"
-                USE [DD_ECM]
-
                 DECLARE @OUT_SUCCESS bit;
 
                 EXEC [dbo].[PRSIG_API_ADD_DOC_RECEIVER_ELEM]
-                    @DOC_ID = @DOC_ID,
-                    @RECEIVER_ID = @RECEIVER_ID,
-                    @POSITION_X = @POSITION_X,
-                    @POSITION_Y = @POSITION_Y,
-                    @PAGE = @PAGE,
-                    @OUT_SUCCESS = @OUT_SUCCESS OUTPUT;
+                    {0},
+                    {1},
+                    {2},
+                    {3},
+                    {4},
+                    @OUT_SUCCESS OUTPUT;
 
                 SELECT @OUT_SUCCESS as [@OUT_SUCCESS];";
 
@@ -250,14 +249,10 @@ public class EnvelopeReceiverController : ControllerBase
                     {
                         conn.Open();
 
-                        using SqlCommand cmd = new SqlCommand(sql, conn);
-                        cmd.CommandType = CommandType.Text;
+                        var formattedSQL = string.Format(sql, document.Id, rcv.Id, sign.X, sign.Y, sign.Page);
 
-                        cmd.Parameters.AddWithValue("@DOC_ID", document.Id);
-                        cmd.Parameters.AddWithValue("@RECEIVER_ID", rcv.Id);
-                        cmd.Parameters.AddWithValue("@POSITION_X", sign.X.ToString());
-                        cmd.Parameters.AddWithValue("@POSITION_Y", sign.Y.ToString());
-                        cmd.Parameters.AddWithValue("@PAGE", sign.Page.ToString());
+                        using SqlCommand cmd = new SqlCommand(formattedSQL, conn);
+                        cmd.CommandType = CommandType.Text;
 
                         using SqlDataReader reader = cmd.ExecuteReader();
                         if (reader.Read())