AL0111 - SQL interpolation in CommandText

Description
Bad Code
Good Code
Properties
Configuration

Source: AL0111SqlInterpolationInCommandTextAnalyzer.cs

Description

Assigning an interpolated string ($"..." or $"""...""") to a property named CommandText is a SQL injection vector. Values should be passed via parameterized queries (@param, $1) instead of being interpolated directly into the command string.

Bad Code

command.CommandText = $"SELECT * FROM Users WHERE Id = {userId}";

Good Code

command.CommandText = "SELECT * FROM Users WHERE Id = @id";
command.Parameters.AddWithValue("@id", userId);

Properties

Category: Reliability
Severity: Warning
Enabled by default: True
Code fix available: False

Configuration

dotnet_diagnostic.AL0111.severity = warning

AL0110 AL0112

Getting Started

ANcpLua.NET.Sdk

ANcpLua.Analyzers

ANcpLua.Roslyn.Utilities

AL0111 - SQL interpolation in CommandText

Description

Bad Code

Good Code

Properties

Configuration

Getting Started

ANcpLua.NET.Sdk

ANcpLua.Analyzers

ANcpLua.Roslyn.Utilities

​Description

​Bad Code

​Good Code

​Properties

​Configuration

Description

Bad Code

Good Code

Properties

Configuration