Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Analyzer: interpolated string usage #143

Open
mgravell opened this issue Dec 14, 2024 · 0 comments
Open

Analyzer: interpolated string usage #143

mgravell opened this issue Dec 14, 2024 · 0 comments
Assignees
@DeagleGross
Labels
analyzer

Comments

@mgravell
Copy link
Member

mgravell commented Dec 14, 2024
edited
Loading

we should detect usage like:

conn.Execute($"update foo set balance={value} where id={id}");

and issue a warning, but: this should only apply when the receiving parameter is a string. I have a plan for future magic voodoo here! There is a future version of Dapper where something very similar, i.e.

conn.Execute($"update foo set balance=@{value} where id=@{id}");

actually works and does the correct thing. I have a working prototype. Must handle all types of interpolated string literal ($", $""", possible $"" etc)

Warning something like:

Interpolated strings should not be used as an alternative to parameterization, and can represent a significant security risk (SQL injection)

If we add the proposed Dapper feature, we can reword this and point them to the new usage.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DeagleGross DeagleGross

Labels
analyzer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mgravell @DeagleGross