From dd6ff78d25cfbe7e086387f22d4f4a216729d233 Mon Sep 17 00:00:00 2001
From: windpacer <windpacer@windpacer.co.kr>
Date: Sun, 26 Apr 2026 11:34:54 +0900
Subject: [PATCH] =?UTF-8?q?fix(#8):=20AnalyzeAsync=20=EB=82=A0=EC=A7=9C=20?=
 =?UTF-8?q?=ED=8C=8C=EB=9D=BC=EB=AF=B8=ED=84=B0=EB=8F=84=20parameterized?=
 =?UTF-8?q?=20=EC=B2=98=EB=A6=AC(SQL=20=EC=9D=B8=EC=A0=9D=EC=85=98=20?=
 =?UTF-8?q?=EB=B0=A9=EC=A7=80)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/Core/Application/Services/TextToSqlService.cs | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/Core/Application/Services/TextToSqlService.cs b/src/Core/Application/Services/TextToSqlService.cs
index fae8deb..1b77657 100644
--- a/src/Core/Application/Services/TextToSqlService.cs
+++ b/src/Core/Application/Services/TextToSqlService.cs
@@ -637,9 +637,10 @@ public class TextToSqlService : ITextToSqlService
                 ? dto.TagNames
                 : await GetAllTagNamesAsync(conn);
 
-            var from = dto.From?.ToString("yyyy-MM-dd HH:mm:ss") ?? DateTime.Now.AddDays(-1).ToString("yyyy-MM-dd HH:mm:ss");
-            var to = dto.To?.ToString("yyyy-MM-dd HH:mm:ss") ?? DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss");
-
+            // 날짜 파라미터도 SQL 인젝션 방지를 위해 parameterized 처리
+            var fromTimestamp = dto.From ?? DateTime.Now.AddDays(-1);
+            var toTimestamp = dto.To ?? DateTime.Now;
+            
             var tagResults = new List<AnalysisTagResult>();
 
             foreach (var tagName in tagNames)
@@ -660,8 +661,8 @@ public class TextToSqlService : ITextToSqlService
 
                 using var cmd = new NpgsqlCommand(sql, conn);
                 cmd.Parameters.AddWithValue("@tagName", tagName);
-                cmd.Parameters.AddWithValue("@fromTimestamp", DateTime.Parse(from));
-                cmd.Parameters.AddWithValue("@toTimestamp", DateTime.Parse(to));
+                cmd.Parameters.AddWithValue("@fromTimestamp", fromTimestamp);
+                cmd.Parameters.AddWithValue("@toTimestamp", toTimestamp);
                 
                 using var reader = await cmd.ExecuteReaderAsync();