From 6bdf0d52206e66073a4df6360dd196d988465829 Mon Sep 17 00:00:00 2001
From: Developer 02 <developer02@didaloghe.onmicrosoft.com>
Date: Wed, 7 May 2025 13:28:06 +0200
Subject: [PATCH] Enhance SQL parameter handling in CreateDocumentAsync

Updated the CreateDocumentAsync method in the DocumentExecutor class to use ToSqlParam() for formatting SQL query parameters. This change improves security by preventing potential SQL injection vulnerabilities associated with direct variable insertion into the SQL string.
---
 EnvelopeGenerator.Infrastructure/Executor/DocumentExecutor.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/EnvelopeGenerator.Infrastructure/Executor/DocumentExecutor.cs b/EnvelopeGenerator.Infrastructure/Executor/DocumentExecutor.cs
index aec62eed..0b42a766 100644
--- a/EnvelopeGenerator.Infrastructure/Executor/DocumentExecutor.cs
+++ b/EnvelopeGenerator.Infrastructure/Executor/DocumentExecutor.cs
@@ -18,7 +18,7 @@ public class DocumentExecutor : SQLExecutor, IDocumentExecutor
     {
         using var connection = new SqlConnection(Params.ConnectionString);
         var sql = Provider.GetRequiredService<DocumentCreateReadSQL>();
-        var formattedSql = string.Format(sql.Raw, base64, envelope_uuid);
+        var formattedSql = string.Format(sql.Raw, base64.ToSqlParam(), envelope_uuid.ToSqlParam());
         await connection.OpenAsync(cancellation);
         var documents = await connection.QueryAsync<EnvelopeDocument>(formattedSql);
         return documents.FirstOrDefault()