Need help with dapper to prevent sql injection on database parameter!

Hello, this is my current endpoint:

        [HttpGet]
        public async Task<ActionResult<List<Workflow>>> GetAllWorkflows(string databaseName)
        {
            using var connection = new SqlConnection(_config.GetConnectionString("Default"));

            var sql = "SELECT [Key],[Code] " +
                $"FROM [{databaseName}].[dbo].[workflowTable] " +
                "ORDER BY [Key] ASC;";

            var workflows = await connection.QueryAsync<Workflow>(sql);

            return Ok(workflows);
        }

        [HttpGet]
        public async Task<ActionResult<List<Workflow>>> GetAllWorkflows(string databaseName)
        {
            using var connection = new SqlConnection(_config.GetConnectionString("Default"));

            var sql = "SELECT [Key],[Code] " +
                $"FROM [{databaseName}].[dbo].[workflowTable] " +
                "ORDER BY [Key] ASC;";

            var workflows = await connection.QueryAsync<Workflow>(sql);

            return Ok(workflows);
        }

Now reading the documentation of dapper they implement a endpoint like this:

var parameters = new { UserName = username, Password = password };
var sql = "SELECT * from users where username = @UserName and password = @Password";
var result = connection.Query(sql, parameters);

var parameters = new { UserName = username, Password = password };
var sql = "SELECT * from users where username = @UserName and password = @Password";
var result = connection.Query(sql, parameters);

How can I implement this on the database parameter from my code?

Thanks in advance!

Need help with dapper to prevent sql injection on database parameter!

Hello, this is my current endpoint:

        [HttpGet]
        public async Task<ActionResult<List<Workflow>>> GetAllWorkflows(string databaseName)
        {
            using var connection = new SqlConnection(_config.GetConnectionString("Default"));

            var sql = "SELECT [Key],[Code] " +
                $"FROM [{databaseName}].[dbo].[workflowTable] " +
                "ORDER BY [Key] ASC;";

            var workflows = await connection.QueryAsync<Workflow>(sql);

            return Ok(workflows);
        }

        [HttpGet]
        public async Task<ActionResult<List<Workflow>>> GetAllWorkflows(string databaseName)
        {
            using var connection = new SqlConnection(_config.GetConnectionString("Default"));

            var sql = "SELECT [Key],[Code] " +
                $"FROM [{databaseName}].[dbo].[workflowTable] " +
                "ORDER BY [Key] ASC;";

            var workflows = await connection.QueryAsync<Workflow>(sql);

            return Ok(workflows);
        }

Now reading the documentation of dapper they implement a endpoint like this:

var parameters = new { UserName = username, Password = password };
var sql = "SELECT * from users where username = @UserName and password = @Password";
var result = connection.Query(sql, parameters);

var parameters = new { UserName = username, Password = password };
var sql = "SELECT * from users where username = @UserName and password = @Password";
var result = connection.Query(sql, parameters);

How can I implement this on the database parameter from my code?

Thanks in advance!

Need help with dapper to prevent sql injection on database parameter!

Similar Threads

Need help with dapper to prevent sql injection on database parameter!

Similar Threads

Similar Threads

Similar Threads