windpacer/ExperionCrawler
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(#8): AnalyzeAsync 날짜 파라미터도 parameterized 처리(SQL 인젝션 방지)

Browse Source
This commit is contained in:
windpacer
2026-04-26 11:34:54 +09:00
parent 544b2570fd
commit dd6ff78d25
1 changed files with 6 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/Core/Application/Services/TextToSqlService.cs
View File

@@ -637,9 +637,10 @@ public class TextToSqlService : ITextToSqlService
? dto.TagNames
: await GetAllTagNamesAsync(conn);
var from = dto.From?.ToString("yyyy-MM-dd HH:mm:ss") ?? DateTime.Now.AddDays(-1).ToString("yyyy-MM-dd HH:mm:ss");
var to = dto.To?.ToString("yyyy-MM-dd HH:mm:ss") ?? DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss");
// 날짜 파라미터도 SQL 인젝션 방지를 위해 parameterized 처리
var fromTimestamp = dto.From ?? DateTime.Now.AddDays(-1);
var toTimestamp = dto.To ?? DateTime.Now;
var tagResults = new List<AnalysisTagResult>();
foreach (var tagName in tagNames)
@@ -660,8 +661,8 @@ public class TextToSqlService : ITextToSqlService
using var cmd = new NpgsqlCommand(sql, conn);
cmd.Parameters.AddWithValue("@tagName", tagName);
cmd.Parameters.AddWithValue("@fromTimestamp", DateTime.Parse(from));
cmd.Parameters.AddWithValue("@toTimestamp", DateTime.Parse(to));
cmd.Parameters.AddWithValue("@fromTimestamp", fromTimestamp);
cmd.Parameters.AddWithValue("@toTimestamp", toTimestamp);
using var reader = await cmd.ExecuteReaderAsync();