Skip to content

Commit

Permalink
Use sql parameters instead of potential sql injection.
Browse files Browse the repository at this point in the history
  • Loading branch information
jahav committed Oct 3, 2024
1 parent 8bc2ccf commit 0471bd6
Showing 1 changed file with 9 additions and 7 deletions.
16 changes: 9 additions & 7 deletions src/DataIsland.SqlServer/SqlDatabaseTenantFactory.cs
Original file line number Diff line number Diff line change
Expand Up @@ -113,13 +113,15 @@ private static List<BackupFile> GetLogicalFiles(SqlConnection connection, string
// TODO: Don't do on every tenant
var logicalFiles = new List<BackupFile>();
var query = connection.CreateCommand();
query.CommandText = $"""
RESTORE FILELISTONLY
FROM DISK = N'{EscapePath(diskPath)}'
WITH
FILE = {file},
NOUNLOAD
""";
query.CommandText = """
RESTORE FILELISTONLY
FROM DISK = @path
WITH
FILE = @file,
NOUNLOAD
""";
query.Parameters.Add("@path", SqlDbType.NVarChar, 1024).Value = diskPath;
query.Parameters.Add("@file", SqlDbType.Int).Value = file;
using var reader = query.ExecuteReader();
var logicalNameOrdinal = reader.GetOrdinal("LogicalName");
var typeOrdinal = reader.GetOrdinal("Type");
Expand Down

0 comments on commit 0471bd6

Please sign in to comment.