interpolated strings: conn.QueryFirst<Customer>($"select * from customers where Id={id}")
concatenation with variables conn.QueryFirst<Customer>("select * from customers where Id=" + id)
in both cases, we'll grudgingly permit constant string values; I'd like to permit other constant values, but culture rules make that impossible
(applies in all SQL scenarios, not just QueryFirst)
should probably be a warning, category "Security", something like "Data values should not be concatenated into SQL - use parameters instead"; it is hard to offer an auto rewrite here because the specific parameter syntax is provider specific - but we might know the provider (we have some stuff for that already; that's a distant second to spotting it, though)
examples:
conn.QueryFirst<Customer>($"select * from customers where Id={id}")conn.QueryFirst<Customer>("select * from customers where Id=" + id)stringvalues; I'd like to permit other constant values, but culture rules make that impossible(applies in all SQL scenarios, not just
QueryFirst)should probably be a warning, category "Security", something like "Data values should not be concatenated into SQL - use parameters instead"; it is hard to offer an auto rewrite here because the specific parameter syntax is provider specific - but we might know the provider (we have some stuff for that already; that's a distant second to spotting it, though)