eswartechraq / dapper-dot-net

Automatically exported from code.google.com/p/dapper-dot-net
Other
0 stars 0 forks source link

Improper oledb parameter regex detection #174

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?

-Create a class containing a property that would not be supported. Example:

    public class TestClass1
    {
        public TestClass2 Database { get; set; }
        public int ID { get; set; }
        public string Field { get; set; }
        public string Detail { get; set; }
    }

-Attempt to run a query with an IEnumerable<class> attached as a parameter that 
contains @@ in the sql. Very simple example: 

conn.ExecuteAsync(@"UPDATE table SET Detail = @Detail WHERE ID = @ID AND Field 
= @Field
IF @@rowcount > 0 BEGIN SELECT 1 END;", IEnumerable<TestClass1>);

What is the expected output? What do you see instead?

Update should run, followed by a useless select.

What happens instead is you get a NotSupportedException ("The member Database 
of type TestClass2 cannot be used as a parameter value") 

The reason appears that dapper is detecting @@rowcount as OleDB '@' parameter 
syntax, and as a result does not do any filtering on parameters. Changing it to 
@rowcount "fixes" things. Although obviously now the query doesn't work.

What version of the product are you using?

1.25

Please provide any additional information below.

Seems like it can be fixed by changing:

static readonly Regex smellsLikeOleDb = new 
Regex(@"(?<![a-zA-Z0-9_])[?@:](?![a-zA-Z0-9_])", RegexOptions.IgnoreCase | 
RegexOptions.Multiline | RegexOptions.CultureInvariant | RegexOptions.Compiled)

To: 

static readonly Regex smellsLikeOleDb = new 
Regex(@"(?<![a-zA-Z0-9@_])[?@:](?![a-zA-Z0-9@_])", RegexOptions.IgnoreCase | 
RegexOptions.Multiline | RegexOptions.CultureInvariant | RegexOptions.Compiled)

Original issue reported on code.google.com by sqm...@gmail.com on 22 May 2014 at 8:41

GoogleCodeExporter commented 8 years ago
Thank you. This should make it into the next build.

Original comment by marc.gravell on 22 May 2014 at 9:18