Skip to main content

Documentation Index

Fetch the complete documentation index at: https://ancplua.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Source: AL0111SqlInterpolationInCommandTextAnalyzer.cs

Description

Assigning an interpolated string ($"..." or $"""...""") to a property named CommandText is a SQL injection vector. Values should be passed via parameterized queries (@param, $1) instead of being interpolated directly into the command string.

Bad Code

command.CommandText = $"SELECT * FROM Users WHERE Id = {userId}";

Good Code

command.CommandText = "SELECT * FROM Users WHERE Id = @id";
command.Parameters.AddWithValue("@id", userId);

Properties

  • Category: Reliability
  • Severity: Warning
  • Enabled by default: True
  • Code fix available: False

Configuration

dotnet_diagnostic.AL0111.severity = warning