Clinton Portis
Reputation: 11
Pass user input (parameters) in the query string (SqlCommand.CommandText), without getting a VS code analysis warning
I think the main point of my question is: what is best practise or is Visual Studio 2019 giving me wrong hints about reviewing the query string?
I have checked this example from Microsoft where the warning-code is sent me, but the following warning keeps popping up. The example gives obsolete code so I might look in the wrong place..
The code was different, but when I do it the way the docs suggest the code looks like this:
/// The sqlfilepath is a content file which looks like this:
/// SELECT * FROM [R_DOCUMENT] WHERE [TYPE] = @type
/// Writing out the file content as a string is also used sometimes
/// which gives the same error.
string query = File.ReadAllText(sqlfilepath);
using (SqlConnection connection = new SqlConnection(connectionString))
{
connection.Open();
using (SqlCommand command = new SqlCommand())
{
command.Connection = connection;
command.Parameters.AddWithValue("@type", type);
command.CommandText = query; //warning gets triggered here
.....
}
}
Upvotes: 1
Views: 386
Answers (0)
Related Questions
- How can I parameterize an SQL table without vulnerability to SQL injection
- Is it safe to not parameterize an SQL query when the parameter is not a string?
- Can I still use parameters for sql command?
- Is it safe to use DbCommand.CreateParameter?
- Avoiding SQL injection using a non parameterised query
- SqlCommand.Prepare method requires all variable length parameters to have an explicitly set non-zero Size
- Using SqlParameter can avoid sql injection totally?
- prevent sql-injection in asp.net
- Is SqlCommand.Parameters.AddWithValue injection safe?
- SqlCommand with parameters as a string