From 9a71d2b805eb3e983d722ee24030ec6f9f024f70 Mon Sep 17 00:00:00 2001
From: Developer 02 <developer02@didaloghe.onmicrosoft.com>
Date: Wed, 7 May 2025 15:09:00 +0200
Subject: [PATCH] Enhance SQL handling in EnvelopeReceiverController

- Added using directive for EnvelopeGenerator.Application.SQL.
- Updated SQL command formatting to use ToSqlParam() for improved security against SQL injection.
- Modified history creation SQL command to use string interpolation for parameters.
- Removed explicit parameter addition, streamlining SQL parameter handling.
---
 .../Controllers/EnvelopeReceiverController.cs | 20 +++++++++----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/EnvelopeGenerator.GeneratorAPI/Controllers/EnvelopeReceiverController.cs b/EnvelopeGenerator.GeneratorAPI/Controllers/EnvelopeReceiverController.cs
index f16c9030..d4df62db 100644
--- a/EnvelopeGenerator.GeneratorAPI/Controllers/EnvelopeReceiverController.cs
+++ b/EnvelopeGenerator.GeneratorAPI/Controllers/EnvelopeReceiverController.cs
@@ -6,6 +6,7 @@ using EnvelopeGenerator.Application.DTOs.Receiver;
 using EnvelopeGenerator.Application.EnvelopeReceivers.Commands.Create;
 using EnvelopeGenerator.Application.EnvelopeReceivers.Queries.Read;
 using EnvelopeGenerator.Application.Envelopes.Queries.ReceiverName;
+using EnvelopeGenerator.Application.SQL;
 using EnvelopeGenerator.Domain.Entities;
 using EnvelopeGenerator.GeneratorAPI.Models;
 using MediatR;
@@ -249,7 +250,7 @@ public class EnvelopeReceiverController : ControllerBase
                     {
                         conn.Open();
 
-                        var formattedSQL = string.Format(sql, document.Id, rcv.Id, sign.X, sign.Y, sign.Page);
+                        var formattedSQL = string.Format(sql, document.Id.ToSqlParam(), rcv.Id.ToSqlParam(), sign.X.ToSqlParam(), sign.Y.ToSqlParam(), sign.Page.ToSqlParam());
 
                         using SqlCommand cmd = new SqlCommand(formattedSQL, conn);
                         cmd.CommandType = CommandType.Text;
@@ -264,31 +265,28 @@ public class EnvelopeReceiverController : ControllerBase
             #endregion
 
             #region Create history
+            // ENV_UID, STATUS_ID, USER_ID,
             string sql_hist = @"
                 USE [DD_ECM]
 
                 DECLARE @OUT_SUCCESS bit;
 
                 EXEC [dbo].[PRSIG_API_ADD_HISTORY_STATE]
-                    @ENV_UID = @ENV_UID,
-                    @STATUS_ID = @STATUS_ID,
-                    @USER_ID = @USER_ID,
-                    @OUT_SUCCESS = @OUT_SUCCESS OUTPUT;
+                    {0},
+                    {1},
+                    {2},
+                    @OUT_SUCCESS OUTPUT;
 
                 SELECT @OUT_SUCCESS as [@OUT_SUCCESS];";
 
             using (SqlConnection conn = new(_cnnStr))
             {
                 conn.Open();
-
-                using (SqlCommand cmd = new SqlCommand(sql_hist, conn))
+                var formattedSQL_hist = string.Format(sql_hist, envelope.Uuid.ToSqlParam(), 1003.ToSqlParam(), userId.ToSqlParam());
+                using (SqlCommand cmd = new SqlCommand(formattedSQL_hist, conn))
                 {
                     cmd.CommandType = CommandType.Text;
 
-                    cmd.Parameters.AddWithValue("@ENV_UID", envelope.Uuid);
-                    cmd.Parameters.AddWithValue("@STATUS_ID", 1003);
-                    cmd.Parameters.AddWithValue("@USER_ID", userId);
-
                     using (SqlDataReader reader = cmd.ExecuteReader())
                     {
                         if (reader.Read())