AppStd/EnvelopeGenerator
8
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Enhance SQL handling in EnvelopeReceiverController

Browse Source 
- Added using directive for EnvelopeGenerator.Application.SQL.
- Updated SQL command formatting to use ToSqlParam() for improved security against SQL injection.
- Modified history creation SQL command to use string interpolation for parameters.
- Removed explicit parameter addition, streamlining SQL parameter handling.
This commit is contained in:
Developer 02
2025-05-07 15:09:00 +02:00
parent 5f8e8deb5b
commit 9a71d2b805
1 changed files with 9 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
EnvelopeGenerator.GeneratorAPI/Controllers/EnvelopeReceiverController.cs
View File

@@ -6,6 +6,7 @@ using EnvelopeGenerator.Application.DTOs.Receiver;
using EnvelopeGenerator.Application.EnvelopeReceivers.Commands.Create;
using EnvelopeGenerator.Application.EnvelopeReceivers.Queries.Read;
using EnvelopeGenerator.Application.Envelopes.Queries.ReceiverName;
using EnvelopeGenerator.Application.SQL;
using EnvelopeGenerator.Domain.Entities;
using EnvelopeGenerator.GeneratorAPI.Models;
using MediatR;
@@ -249,7 +250,7 @@ public class EnvelopeReceiverController : ControllerBase
{
conn.Open();
var formattedSQL = string.Format(sql, document.Id, rcv.Id, sign.X, sign.Y, sign.Page);
var formattedSQL = string.Format(sql, document.Id.ToSqlParam(), rcv.Id.ToSqlParam(), sign.X.ToSqlParam(), sign.Y.ToSqlParam(), sign.Page.ToSqlParam());
using SqlCommand cmd = new SqlCommand(formattedSQL, conn);
cmd.CommandType = CommandType.Text;
@@ -264,31 +265,28 @@ public class EnvelopeReceiverController : ControllerBase
#endregion
#region Create history
// ENV_UID, STATUS_ID, USER_ID,
string sql_hist = @"
USE [DD_ECM]
DECLARE @OUT_SUCCESS bit;
EXEC [dbo].[PRSIG_API_ADD_HISTORY_STATE]
@ENV_UID = @ENV_UID,
@STATUS_ID = @STATUS_ID,
@USER_ID = @USER_ID,
@OUT_SUCCESS = @OUT_SUCCESS OUTPUT;
{0},
{1},
{2},
@OUT_SUCCESS OUTPUT;
SELECT @OUT_SUCCESS as [@OUT_SUCCESS];";
using (SqlConnection conn = new(_cnnStr))
{
conn.Open();
using (SqlCommand cmd = new SqlCommand(sql_hist, conn))
var formattedSQL_hist = string.Format(sql_hist, envelope.Uuid.ToSqlParam(), 1003.ToSqlParam(), userId.ToSqlParam());
using (SqlCommand cmd = new SqlCommand(formattedSQL_hist, conn))
{
cmd.CommandType = CommandType.Text;
cmd.Parameters.AddWithValue("@ENV_UID", envelope.Uuid);
cmd.Parameters.AddWithValue("@STATUS_ID", 1003);
cmd.Parameters.AddWithValue("@USER_ID", userId);
using (SqlDataReader reader = cmd.ExecuteReader())
{
if (reader.Read())