dotnet-security-guard/roslyn-security-guard

False positive Potential SQL injection with MsSQL Data Provider

sady4850 opened this issue · 0 comments

sady4850 commented 
    class MyFoo {
        const string stringConst = "";
        void Do() {
            var s = "select * from Products";
            var sqlCommand = new SqlCommand(s + stringConst);
        }
    }

This reports potential sql injection that is not. Note, that there is no warning in case local const.