Document how to avoid SQL injection with Dapper on bobby-tables.com

[zspitz]

bobby-tables.com, a website devoted to avoiding SQL injection on various platforms, has a page on Dapper.

The page only has some minimal examples. Perhaps it might be a good idea for someone more familiar with the Dapper API to expand the text and examples?

At minimum, I think there ought to be a comprehensive list of Dapper methods which take raw SQL, and are thus potentially vulnerable to SQL injection if parameters aren't used.

[robertharvey416]

Isn't this sort of self-evident? SQL Injection is caused by string concatenation instead of parameters, so your code is going to be vulnerable to SQL Injection wherever you concatenate raw SQL, which is... well, anywhere where you provide SQL to Dapper.

[zspitz]

It's the "anywhere where you provide SQL to Dapper" that's the problem. I think, ideally, there should be a list of methods, such that the developer can go over this list and ask about each one -- "Am I using this method anywhere? I need to check it for concatenated SQL".

[robertharvey416]

The core methods of Dapper are Query and Execute, both of which take SQL statements and parameters. Dapper's premise is based on writing your own SQL statements, so in core Dapper, the answer to "which methods are vulnerable to SQL injection if you don't parameterize them" is basically "all of them."

If you want methods that cannot be "Bobby-tabled," Dapper Contrib has them.