Need help with dapper to prevent sql injection on database parameter!

Hello, this is my current endpoint:

        [HttpGet]
        public async Task<ActionResult<List<Workflow>>> GetAllWorkflows(string databaseName)
        {
            using var connection = new SqlConnection(_config.GetConnectionString("Default"));

            var sql = "SELECT [Key],[Code] " +
                $"FROM [{databaseName}].[dbo].[workflowTable] " +
                "ORDER BY [Key] ASC;";

            var workflows = await connection.QueryAsync<Workflow>(sql);

            return Ok(workflows);
        }

        [HttpGet]
        public async Task<ActionResult<List<Workflow>>> GetAllWorkflows(string databaseName)
        {
            using var connection = new SqlConnection(_config.GetConnectionString("Default"));

            var sql = "SELECT [Key],[Code] " +
                $"FROM [{databaseName}].[dbo].[workflowTable] " +
                "ORDER BY [Key] ASC;";

            var workflows = await connection.QueryAsync<Workflow>(sql);

            return Ok(workflows);
        }

        [HttpGet]
        public async Task<ActionResult<List<Workflow>>> GetAllWorkflows(string databaseName)
        {
            using var connection = new SqlConnection(_config.GetConnectionString("Default"));

            var sql = "SELECT [Key],[Code] " +
                $"FROM [{databaseName}].[dbo].[workflowTable] " +
                "ORDER BY [Key] ASC;";

            var workflows = await connection.QueryAsync<Workflow>(sql);

            return Ok(workflows);
        }

        [HttpGet]
        public async Task<ActionResult<List<Workflow>>> GetAllWorkflows(string databaseName)
        {
            using var connection = new SqlConnection(_config.GetConnectionString("Default"));

            var sql = "SELECT [Key],[Code] " +
                $"FROM [{databaseName}].[dbo].[workflowTable] " +
                "ORDER BY [Key] ASC;";

            var workflows = await connection.QueryAsync<Workflow>(sql);

            return Ok(workflows);
        }

Now reading the documentation of dapper they implement a endpoint like this:

var parameters = new { UserName = username, Password = password };
var sql = "SELECT * from users where username = @UserName and password = @Password";
var result = connection.Query(sql, parameters);

var parameters = new { UserName = username, Password = password };
var sql = "SELECT * from users where username = @UserName and password = @Password";
var result = connection.Query(sql, parameters);

var parameters = new { UserName = username, Password = password };
var sql = "SELECT * from users where username = @UserName and password = @Password";
var result = connection.Query(sql, parameters);

var parameters = new { UserName = username, Password = password };
var sql = "SELECT * from users where username = @UserName and password = @Password";
var result = connection.Query(sql, parameters);

How can I implement this on the database parameter from my code?

Thanks in advance!

Need help with dapper to prevent sql injection on database parameter!

Similar Threads

Similar Threads

Similar Threads