Closed
Description
using (var cmd = new MySqlCommand("""
drop table if exists test;
create table test(`@a` int);
insert into test values(1);
""", conn))
cmd.ExecuteNonQuery();
var bulkCopy = new MySqlBulkCopy(conn)
{
DestinationTableName = "test",
};
var dataTable = new DataTable();
dataTable.Columns.Add(new DataColumn() { DataType = typeof(int) });
dataTable.Rows.Add(new object[] { 2 });
bulkCopy.WriteToServer(dataTable);
using (var cmd = new MySqlCommand("select * from test;", conn))
using (var reader = cmd.ExecuteReader())
{
while (reader.Read())
Console.WriteLine($"{reader.IsDBNull(0)} {reader.GetValue(0)}"); // second row is NULL
}The leading @ in the column name is detected as a variable; it should be quoted as an identifier instead.
Related to https://github.com/mysql-net/MySqlConnector/security/code-scanning/3.