Open
Description
we should detect usage like:
conn.Execute($"update foo set balance={value} where id={id}");
and issue a warning, but: this should only apply when the receiving parameter is a string
. I have a plan for future magic voodoo here! There is a future version of Dapper where something very similar, i.e.
conn.Execute($"update foo set balance=@{value} where id=@{id}");
actually works and does the correct thing. I have a working prototype. Must handle all types of interpolated string literal ($"
, $"""
, possible $""
etc)
Warning something like:
Interpolated strings should not be used as an alternative to parameterization, and can represent a significant security risk (SQL injection)
If we add the proposed Dapper feature, we can reword this and point them to the new usage.