public void ShouldDetectIncorrectlyCasedParameter()
        {
            var code = @"
				transaction.Query<Customer>().Where('FirstName = @name').Parameter('Name', 'Robert').ToList();
			"            ;

            var results = CodeCompiler.Compile <NevermoreEmbeddedSqlExpressionAnalyzer>(code);

            AssertError(results, "The query refers to the parameter '@name', but the parameter being passed uses different casing.");
        }
        public void ShouldDetectMissingParameter()
        {
            var code = @"
				transaction.Query<Customer>().Where('FirstName = @name').ToList();
			"            ;

            var results = CodeCompiler.Compile <NevermoreEmbeddedSqlExpressionAnalyzer>(code);

            AssertError(results, "The query refers to the parameter '@name', but no value for the parameter is being passed to the query");
        }
        public void ShouldDetectSqlInjectionInConcatenatedWhere()
        {
            var code = @"
				var name = 'Robert';
				transaction.Query<Customer>().Where('Name = ' + name).ToList();
			"            ;

            var results = CodeCompiler.Compile <NevermoreSqlInjectionAnalyzer>(code);

            AssertError(results, "This expression uses string concatenation");
        }
        public void ShouldCompileIfPragmaIgnore()
        {
            var code = @"
				#pragma warning disable NV0007
				// This call is safe from SQL injection because...
				var name = 'Robert';
				transaction.Query<Customer>().Where('Name = ' + name).ToList();
			"            ;

            var results = CodeCompiler.Compile <NevermoreSqlInjectionAnalyzer>(code);

            AssertPassed(results);
        }
        public void ShouldDetectCommandParametersWithObjectSyntax()
        {
            var code = @"
				var name = 'Robert';
				var args = new CommandParameterValues(
                    new
                    {
                        name,
                        age = 71
                    });
				transaction.Stream<Customer>('select * from dbo.Customer where Name = @name and Age = @age', args).ToList();
			"            ;

            var results = CodeCompiler.Compile <NevermoreEmbeddedSqlExpressionAnalyzer>(code);

            AssertPassed(results);
        }
        public void ShouldDetectSqlInjectionInInterpolatedStream()
        {
            var code = @"
				var name = 'Robert';
				var args = new CommandParameterValues(
                    new
                    {
                        name,
                        age = 71
                    });
				transaction.Stream<Customer>($'select * from dbo.Customer where Name = {name}', args).ToList();
			"            ;

            var results = CodeCompiler.Compile <NevermoreSqlInjectionAnalyzer>(code);

            AssertError(results, "This expression uses string concatenation");
        }