From 4871668a90c2eadf97da44ff580939ccb5a0ed53 Mon Sep 17 00:00:00 2001 From: Chase Tucker Date: Wed, 4 Jun 2025 09:30:39 -0700 Subject: [PATCH] Use query params for user strings --- MesaFabApproval.API/Services/MRBService.cs | 4 ++-- MesaFabApproval.API/Services/PCRBService.cs | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/MesaFabApproval.API/Services/MRBService.cs b/MesaFabApproval.API/Services/MRBService.cs index f9c28bb..b9d0fd7 100644 --- a/MesaFabApproval.API/Services/MRBService.cs +++ b/MesaFabApproval.API/Services/MRBService.cs @@ -212,9 +212,9 @@ public class MRBService : IMRBService { StringBuilder queryBuilder = new(); queryBuilder.Append("select (u.FirstName + ' ' + u.LastName) as OriginatorName, m.* "); queryBuilder.Append("from MRB m join Users u on m.OriginatorID = u.UserID "); - queryBuilder.Append($"where m.Title = '{title}'"); + queryBuilder.Append("where m.Title = @Title"); - mrb = (await _dalService.QueryAsync(queryBuilder.ToString())).FirstOrDefault(); + mrb = (await _dalService.QueryAsync(queryBuilder.ToString(), new { Title=title })).FirstOrDefault(); _cache.Set($"mrb{title}", mrb, DateTimeOffset.Now.AddHours(1)); } diff --git a/MesaFabApproval.API/Services/PCRBService.cs b/MesaFabApproval.API/Services/PCRBService.cs index 4b44752..0317da6 100644 --- a/MesaFabApproval.API/Services/PCRBService.cs +++ b/MesaFabApproval.API/Services/PCRBService.cs @@ -169,9 +169,9 @@ public class PCRBService : IPCRBService { if (!bypassCache) pcrb = _cache.Get($"pcrb{title}"); if (pcrb is null) { - string sql = $"select * from CCChangeControl where Title='{title}'"; + string sql = "select * from CCChangeControl where Title=@Title"; - pcrb = (await _dalService.QueryAsync(sql)).FirstOrDefault(); + pcrb = (await _dalService.QueryAsync(sql, new { Title = title })).FirstOrDefault(); if (pcrb is not null) { if (string.IsNullOrWhiteSpace(pcrb.OwnerName) && pcrb.OwnerID > 0)