Wrong squiggle information on sting variable

DotNetAnalyzers / TSqlAnalyzer

T-SQL Code Analyzer for Visual Studio 2015 CTP6

MIT License

57 stars 12 forks source link

Wrong squiggle information on sting variable #11

Open RonnieHegelund opened 9 years ago

RonnieHegelund commented 9 years ago

string sql = "SELECT " + selection + " FROM myTable WHERE " + where;

var cmd4 = new SqlCommand(sql);

vendettamit commented 8 years ago

IMO it looks more like "Sql Injection" and should be reported with severity of error. I will create another issue to create Analyzer to detect sql injection and add this issue there.