Refactor SQL parameter handling in EnvelopeReceiverController

Updated the SQL command execution in `EnvelopeReceiverController.cs` to use a formatted SQL string with `string.Format` instead of parameterized commands. This change simplifies command preparation but may increase the risk of SQL injection if input values are not properly sanitized.
2025-05-07 15:03:27 +02:00 · 2025-05-07 15:03:27 +02:00 · 5f8e8deb5b
commit 5f8e8deb5b
parent 645153113c
1 changed files with 10 additions and 15 deletions
--- a/EnvelopeGenerator.GeneratorAPI/Controllers/EnvelopeReceiverController.cs
+++ b/EnvelopeGenerator.GeneratorAPI/Controllers/EnvelopeReceiverController.cs
@ -228,18 +228,17 @@ public class EnvelopeReceiverController : ControllerBase
            #endregion
            #region Add document element
            // @DOC_ID, @RECEIVER_ID, @POSITION_X, @POSITION_Y, @PAGE
            string sql = @"
                USE [DD_ECM]
                DECLARE @OUT_SUCCESS bit;
                EXEC [dbo].[PRSIG_API_ADD_DOC_RECEIVER_ELEM]
-                    @DOC_ID = @DOC_ID,
+                    {0},
-                    @RECEIVER_ID = @RECEIVER_ID,
+                    {1},
-                    @POSITION_X = @POSITION_X,
+                    {2},
-                    @POSITION_Y = @POSITION_Y,
+                    {3},
-                    @PAGE = @PAGE,
+                    {4},
-                    @OUT_SUCCESS = @OUT_SUCCESS OUTPUT;
+                    @OUT_SUCCESS OUTPUT;
                SELECT @OUT_SUCCESS as [@OUT_SUCCESS];";
@ -250,14 +249,10 @@ public class EnvelopeReceiverController : ControllerBase
                    {
                        conn.Open();
-                        using SqlCommand cmd = new SqlCommand(sql, conn);
+                        var formattedSQL = string.Format(sql, document.Id, rcv.Id, sign.X, sign.Y, sign.Page);
                        cmd.CommandType = CommandType.Text;
-                        cmd.Parameters.AddWithValue("@DOC_ID", document.Id);
+                        using SqlCommand cmd = new SqlCommand(formattedSQL, conn);
-                        cmd.Parameters.AddWithValue("@RECEIVER_ID", rcv.Id);
+                        cmd.CommandType = CommandType.Text;
                        cmd.Parameters.AddWithValue("@POSITION_X", sign.X.ToString());
                        cmd.Parameters.AddWithValue("@POSITION_Y", sign.Y.ToString());
                        cmd.Parameters.AddWithValue("@PAGE", sign.Page.ToString());
                        using SqlDataReader reader = cmd.ExecuteReader();
                        if (reader.Read())