Change SqlFmt to use sql parameters

The current implementation of SqlFmt is to convert the parameters to realvalues. Shouldn’t this be better to optimize this to Sql parameters (for 2 obvious reasons, prevent sql injection and optimize queryplans).

That is not the purpose of SqlFmt which is a string extension method to add quoted args to an SQL fragment, it obviously cannot be refactored to use DB parameters without a reference to a DB Command.

This is the 2nd time in succession that you’ve indicated an API allows SQL injection, the args of SqlFmt are quoted and escaped so sql injection should not be possible (which is the primary purpose of the API otherwise you’d just use C#’s string.Fomat), but you’re continually saying it is, so please provide an actual example to backup your claim.

1 Like