//---------------------------------------------------------------------
/// <summary>
/// Creates and parameterizes an instance of Microsoft.Azure.Cosmos.QueryDefinition
/// using the given queryText and args to mitigate risk from SQLi attacks
/// </summary>
/// <param name="queryText">Query text to use</param>
/// <param name="args">Arguments to map and parameterize</param>
/// <returns>
/// Returns a QueryDefinition instance that is been instantiated
/// with the given queryText and parameterized
/// </returns>
//---------------------------------------------------------------------
public static QueryDefinition Create(String queryText, params Object[] args)
{
// Input validation
AntiSQLiCommon.ValidateQueryTextAndArgsThrowEx(queryText, args);
// Parameterize given arguments
IEnumerable <Documents.SqlParameter> parsedParameters;
if (!AntiSQLiCommon.TryConvertObjectsToDbParameterCollection(out parsedParameters, args))
{
throw new AntiSQLiException(Resources.AntiSQLiResource.Error_UnableToParseArguments);
}
// If no parameters parsed, then stop execution, may not be safe to continue
if (parsedParameters.Count() == 0)
{
throw new AntiSQLiException(Resources.AntiSQLiResource.Error_NoParametersParsed);
}
// Substitute the queryText formatters (i.e. {0} .. {N}) with the
// proper parameter names (i.e., @AntiSQLiParam1 ... @AntiSQLiParamN,
// where N is the number of elements in the args params
String parameterizedQueryText;
if (!AntiSQLiCommon.TryParameterizeQueryText(queryText, parsedParameters, out parameterizedQueryText))
{
throw new AntiSQLiException(Resources.AntiSQLiResource.Error_UnableToParameterizeQuery);
}
// Create final QueryDefinition object and add parameters
QueryDefinition finalQueryDefinition = new QueryDefinition(parameterizedQueryText);
foreach (var p in parsedParameters)
{
finalQueryDefinition = finalQueryDefinition.WithParameter(p.Name, p.Value);
}
return(finalQueryDefinition);
}
