Skip to content

Analyzer: interpolated string usage #143

Open
@mgravell

Description

@mgravell

we should detect usage like:

conn.Execute($"update foo set balance={value} where id={id}");

and issue a warning, but: this should only apply when the receiving parameter is a string. I have a plan for future magic voodoo here! There is a future version of Dapper where something very similar, i.e.

conn.Execute($"update foo set balance=@{value} where id=@{id}");

actually works and does the correct thing. I have a working prototype. Must handle all types of interpolated string literal ($", $""", possible $"" etc)

Warning something like:

Interpolated strings should not be used as an alternative to parameterization, and can represent a significant security risk (SQL injection)

If we add the proposed Dapper feature, we can reword this and point them to the new usage.

Metadata

Metadata

Assignees

Labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions