AppStd/EnvelopeGenerator
8
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Enhance SQL handling in EnvelopeReceiverController

Browse Source 
- Added using directive for EnvelopeGenerator.Application.SQL.
- Updated SQL command formatting to use ToSqlParam() for improved security against SQL injection.
- Modified history creation SQL command to use string interpolation for parameters.
- Removed explicit parameter addition, streamlining SQL parameter handling.
This commit is contained in:
Developer 02
2025-05-07 15:09:00 +02:00
parent 5f8e8deb5b
commit 9a71d2b805
1 changed files with 9 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
EnvelopeGenerator.GeneratorAPI/Controllers/EnvelopeReceiverController.cs
View File

@@ -6,6 +6,7 @@ using EnvelopeGenerator.Application.DTOs.Receiver;
using EnvelopeGenerator.Application.EnvelopeReceivers.Commands.Create; using EnvelopeGenerator.Application.EnvelopeReceivers.Commands.Create;
using EnvelopeGenerator.Application.EnvelopeReceivers.Queries.Read; using EnvelopeGenerator.Application.EnvelopeReceivers.Queries.Read;
using EnvelopeGenerator.Application.Envelopes.Queries.ReceiverName; using EnvelopeGenerator.Application.Envelopes.Queries.ReceiverName;
using EnvelopeGenerator.Application.SQL;
using EnvelopeGenerator.Domain.Entities; using EnvelopeGenerator.Domain.Entities;
using EnvelopeGenerator.GeneratorAPI.Models; using EnvelopeGenerator.GeneratorAPI.Models;
using MediatR; using MediatR;
@@ -249,7 +250,7 @@ public class EnvelopeReceiverController : ControllerBase
{ {
conn.Open(); conn.Open();
var formattedSQL = string.Format(sql, document.Id, rcv.Id, sign.X, sign.Y, sign.Page); var formattedSQL = string.Format(sql, document.Id.ToSqlParam(), rcv.Id.ToSqlParam(), sign.X.ToSqlParam(), sign.Y.ToSqlParam(), sign.Page.ToSqlParam());
using SqlCommand cmd = new SqlCommand(formattedSQL, conn); using SqlCommand cmd = new SqlCommand(formattedSQL, conn);
cmd.CommandType = CommandType.Text; cmd.CommandType = CommandType.Text;
@@ -264,31 +265,28 @@ public class EnvelopeReceiverController : ControllerBase
#endregion #endregion
#region Create history #region Create history
// ENV_UID, STATUS_ID, USER_ID,
string sql_hist = @" string sql_hist = @"
USE [DD_ECM] USE [DD_ECM]
DECLARE @OUT_SUCCESS bit; DECLARE @OUT_SUCCESS bit;
EXEC [dbo].[PRSIG_API_ADD_HISTORY_STATE] EXEC [dbo].[PRSIG_API_ADD_HISTORY_STATE]
@ENV_UID = @ENV_UID, {0},
@STATUS_ID = @STATUS_ID, {1},
@USER_ID = @USER_ID, {2},
@OUT_SUCCESS = @OUT_SUCCESS OUTPUT; @OUT_SUCCESS OUTPUT;
SELECT @OUT_SUCCESS as [@OUT_SUCCESS];"; SELECT @OUT_SUCCESS as [@OUT_SUCCESS];";
using (SqlConnection conn = new(_cnnStr)) using (SqlConnection conn = new(_cnnStr))
{ {
conn.Open(); conn.Open();
var formattedSQL_hist = string.Format(sql_hist, envelope.Uuid.ToSqlParam(), 1003.ToSqlParam(), userId.ToSqlParam());
using (SqlCommand cmd = new SqlCommand(sql_hist, conn)) using (SqlCommand cmd = new SqlCommand(formattedSQL_hist, conn))
{ {
cmd.CommandType = CommandType.Text; cmd.CommandType = CommandType.Text;
cmd.Parameters.AddWithValue("@ENV_UID", envelope.Uuid);
cmd.Parameters.AddWithValue("@STATUS_ID", 1003);
cmd.Parameters.AddWithValue("@USER_ID", userId);
using (SqlDataReader reader = cmd.ExecuteReader()) using (SqlDataReader reader = cmd.ExecuteReader())
{ {
if (reader.Read()) if (reader.Read())