-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathSQLExamples.cs
37 lines (32 loc) · 1.35 KB
/
SQLExamples.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
//taken from https://github.com/billdinger/OwaspTop10Examples/blob/master/Blog/SQL/SQLExamples.cs
using System.Data.SqlClient;
using Blog.Models;
using Microsoft.Extensions.Configuration;
namespace Blog.SQL
{
public class SQLExamples
{
private IConfiguration Configuration { get; }
public SQLExamples(IConfiguration configuration)
{
Configuration = configuration;
}
/// <summary>
/// A1 - Injection - This is an example of ADO.NET Raw SQL call in which we can't use entity framework for some reason, or
/// a SPROC but we need to still execute SQl.
/// </summary>
/// <param name="comment">The comment to add to our database.</param>
public void Add(Comment comment)
{
using (var conn = new SqlConnection(Configuration
.GetConnectionString("CommentContext")))
{
var cmd = new SqlCommand("insert into comments Id,Body, Author Values ('@author', '@body', '@Id') ", conn);
cmd.Parameters.Add(new SqlParameter(nameof(Comment.Author), comment.Author));
cmd.Parameters.Add(new SqlParameter(nameof(Comment.Body), comment.Body));
cmd.Parameters.Add(new SqlParameter(nameof(comment.Id), comment.Id));
cmd.ExecuteNonQuery();
}
}
}
}