AppStd/EnvelopeGenerator
8
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Enhance SQL parameter handling in CreateDocumentAsync

Browse Source 
Updated the CreateDocumentAsync method in the DocumentExecutor class to use ToSqlParam() for formatting SQL query parameters. This change improves security by preventing potential SQL injection vulnerabilities associated with direct variable insertion into the SQL string.
This commit is contained in:
Developer 02
2025-05-07 13:28:06 +02:00
parent ad855b77cd
commit 6bdf0d5220
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
EnvelopeGenerator.Infrastructure/Executor/DocumentExecutor.cs
View File

@@ -18,7 +18,7 @@ public class DocumentExecutor : SQLExecutor, IDocumentExecutor
{
using var connection = new SqlConnection(Params.ConnectionString);
var sql = Provider.GetRequiredService<DocumentCreateReadSQL>();
var formattedSql = string.Format(sql.Raw, base64, envelope_uuid);
var formattedSql = string.Format(sql.Raw, base64.ToSqlParam(), envelope_uuid.ToSqlParam());
await connection.OpenAsync(cancellation);
var documents = await connection.QueryAsync<EnvelopeDocument>(formattedSql);
return documents.FirstOrDefault()