In PetaPoco's home page there is a mention that PetaPoco's SQL Builder (Sql object) protects from SQL injection. But does Query(string query, parameters) method protect from SQL injection?
SQL Builder is safe:
var id = 123;
var a = db.Query<article>(PetaPoco.Sql.Builder
.Append("SELECT * FROM articles")
.Append("WHERE article_id=@0", id)
);
But is it safe with string query where parameters are passed like this?
var id = 123;
var a = db.Query<article>("SELECT * FROM articles WHERE article_id=@0", id);
Yes it does protect against SQL injection.
You can verify this, if you aren't sure, by running a SQL Trace on the SQL being executed. Or provide some inputs with a single and a double quote in it (against a nvarchar column) and see whether a runtime exception occurs (which would occur if SQL injection was a problem).
See also https://github.com/CollaboratingPlatypus/PetaPoco/issues/326#issuecomment-238538854 :
this is the correct behaviour. The SQL and parameters are passed to the DB Command to prevent injection based attacks. The connected DB will put the SQL and parameters together in a safe manner