Will It Vibe logoWill It Vibe?
CSHARP-001High severity-15 points

SQL query built by string concatenation or interpolation

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

SqlCommand/SqlDataAdapter text or CommandText is built from a literal glued to a variable with + or an interpolated $"..." string instead of a parameterized query, letting attacker-controlled input change the query structure.

Why it matters

Building a SQL command by gluing a literal to a variable, whether with + or an interpolated $"..." string, means the query structure itself can change based on what the variable contains. An attacker who controls that value can add clauses, union in other tables, or bypass a WHERE filter entirely. This is one of the oldest and still one of the most common ways production databases get breached.

How to fix it

Use a parameterized query: keep placeholders like @username in the CommandText and add the values through cmd.Parameters.Add or cmd.Parameters.AddWithValue. If you use Dapper or EF Core, pass values as method arguments or use their parameterized query APIs rather than building SQL strings by hand. Never validate or escape your way around this; use parameters.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks