Skip to content

Increasing usage of SQL parameters #460

Open
Open
Increasing usage of SQL parameters#460
@elfring

Description

@elfring
elfring
opened on May 15, 2025

💭 I find a few implementation details improvable also for the application of SQL commands.

Update candidate:

ChanSort/source/ChanSort.Loader.Android/AldenSerializer.cs

Lines 87 to 115 in 10a53f3

#region Load()
public override void Load()
{
using var conn = new SqliteConnection($"Data Source={this.FileName};Pooling=False");
conn.Open();
using var cmd = conn.CreateCommand();
foreach (var table in new[] { "dtv_satellite_channels" })
{
cmd.CommandText = $"select count(1) from sqlite_master where type='table' and name='{table}'";
if ((long)cmd.ExecuteScalar() == 0)
throw LoaderException.TryNext(ERR_UnknownFormat);
}
var columns = "_id, type, service_type, original_network_id, transport_stream_id, service_id, display_number, display_name, browsable, searchable, locked, "
+ "internal_provider_flag1, internal_provider_flag4, favorite, scrambled, channel_index";
var fields = columns.Split(',');
var c = new Dictionary<string, int>();
for (int i = 0; i < fields.Length; i++)
c[fields[i].Trim()] = i;
foreach (var subList in this.subLists)
{
cmd.CommandText = $"select count(1) from sqlite_master where type='table' and name='{subList.Item1}'";
if ((long)cmd.ExecuteScalar() == 0)
continue;
cmd.CommandText = $"select {columns} from {subList.Item1}";

Would it be a bit safer to use SQL parameters instead of using C# string interpolation for the construction of special SQL commands? 🤔

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions