From 544b2570fddc295388ce5d13f8ba536c2bf3f08f Mon Sep 17 00:00:00 2001 From: windpacer Date: Sun, 26 Apr 2026 11:33:16 +0900 Subject: [PATCH] =?UTF-8?q?fix(#8):=20AnalyzeAsync=20SQL=20=EC=9D=B8?= =?UTF-8?q?=EC=A0=9D=EC=85=98=20=EB=B0=A9=EC=A7=80=20(parameterized=20quer?= =?UTF-8?q?y=20=EC=82=AC=EC=9A=A9)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/Core/Application/Services/TextToSqlService.cs | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/src/Core/Application/Services/TextToSqlService.cs b/src/Core/Application/Services/TextToSqlService.cs index c38d75c..fae8deb 100644 --- a/src/Core/Application/Services/TextToSqlService.cs +++ b/src/Core/Application/Services/TextToSqlService.cs @@ -644,11 +644,8 @@ public class TextToSqlService : ITextToSqlService foreach (var tagName in tagNames) { - // SQL 인젝션 방지를 위해 태그명 이스케이프 - var escapedTagName = tagName.Replace("'", "''"); - - // history_table: tagname (TEXT), recorded_at (TIMESTAMPTZ), value (TEXT) - var sql = $@" + // SQL 인젝션 방지를 위해 parameterized query 사용 + var sql = @" SELECT AVG(value::double precision) AS avg_val, MIN(value::double precision) AS min_val, @@ -658,10 +655,14 @@ public class TextToSqlService : ITextToSqlService last(value::double precision, recorded_at) AS last_val, COUNT(*) AS point_count FROM history_table - WHERE tagname = '{escapedTagName}' - AND recorded_at BETWEEN '{from}' AND '{to}'"; + WHERE tagname = @tagName + AND recorded_at BETWEEN @fromTimestamp AND @toTimestamp"; using var cmd = new NpgsqlCommand(sql, conn); + cmd.Parameters.AddWithValue("@tagName", tagName); + cmd.Parameters.AddWithValue("@fromTimestamp", DateTime.Parse(from)); + cmd.Parameters.AddWithValue("@toTimestamp", DateTime.Parse(to)); + using var reader = await cmd.ExecuteReaderAsync(); if (await reader.ReadAsync())