Refactor SQL parameter handling in EnvelopeReceiverController
Updated the SQL command execution in `EnvelopeReceiverController.cs` to use a formatted SQL string with `string.Format` instead of parameterized commands. This change simplifies command preparation but may increase the risk of SQL injection if input values are not properly sanitized.
This commit is contained in:
Developer 02
parent
645153113c
commit
5f8e8deb5b
@ -228,18 +228,17 @@ public class EnvelopeReceiverController : ControllerBase
|
||||
#endregion
|
||||
|
||||
#region Add document element
|
||||
// @DOC_ID, @RECEIVER_ID, @POSITION_X, @POSITION_Y, @PAGE
|
||||
string sql = @"
|
||||
USE [DD_ECM]
|
||||
|
||||
DECLARE @OUT_SUCCESS bit;
|
||||
|
||||
EXEC [dbo].[PRSIG_API_ADD_DOC_RECEIVER_ELEM]
|
||||
@DOC_ID = @DOC_ID,
|
||||
@RECEIVER_ID = @RECEIVER_ID,
|
||||
@POSITION_X = @POSITION_X,
|
||||
@POSITION_Y = @POSITION_Y,
|
||||
@PAGE = @PAGE,
|
||||
@OUT_SUCCESS = @OUT_SUCCESS OUTPUT;
|
||||
{0},
|
||||
{1},
|
||||
{2},
|
||||
{3},
|
||||
{4},
|
||||
@OUT_SUCCESS OUTPUT;
|
||||
|
||||
SELECT @OUT_SUCCESS as [@OUT_SUCCESS];";
|
||||
|
||||
@ -250,14 +249,10 @@ public class EnvelopeReceiverController : ControllerBase
|
||||
{
|
||||
conn.Open();
|
||||
|
||||
using SqlCommand cmd = new SqlCommand(sql, conn);
|
||||
cmd.CommandType = CommandType.Text;
|
||||
var formattedSQL = string.Format(sql, document.Id, rcv.Id, sign.X, sign.Y, sign.Page);
|
||||
|
||||
cmd.Parameters.AddWithValue("@DOC_ID", document.Id);
|
||||
cmd.Parameters.AddWithValue("@RECEIVER_ID", rcv.Id);
|
||||
cmd.Parameters.AddWithValue("@POSITION_X", sign.X.ToString());
|
||||
cmd.Parameters.AddWithValue("@POSITION_Y", sign.Y.ToString());
|
||||
cmd.Parameters.AddWithValue("@PAGE", sign.Page.ToString());
|
||||
using SqlCommand cmd = new SqlCommand(formattedSQL, conn);
|
||||
cmd.CommandType = CommandType.Text;
|
||||
|
||||
using SqlDataReader reader = cmd.ExecuteReader();
|
||||
if (reader.Read())
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user