dotnet
diff --git a/‎src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlCommand.cs‎
Lines changed: 33 additions & 17 deletions b/‎src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlCommand.cs‎
Lines changed: 33 additions & 17 deletions
diff --git a/‎src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParser.cs‎
Lines changed: 25 additions & 8 deletions b/‎src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParser.cs‎
Lines changed: 25 additions & 8 deletions
diff --git a/‎src/Microsoft.Data.SqlClient/netfx/src/Microsoft/Data/SqlClient/SqlCommand.cs‎
Lines changed: 34 additions & 19 deletions b/‎src/Microsoft.Data.SqlClient/netfx/src/Microsoft/Data/SqlClient/SqlCommand.cs‎
Lines changed: 34 additions & 19 deletions
@@ -4363,7 +4363,7 @@ private void ReadDescribeEncryptionParameterResults(SqlDataReader ds, ReadOnlyDi
                             SqlParameter sqlParameter = rpc.userParams[index];
                             Debug.Assert(sqlParameter != null, "sqlParameter should not be null.");
 
-                            if (sqlParameter.ParameterNameFixed.Equals(parameterName, StringComparison.Ordinal))
+                            if (SqlParameter.ParameterNamesEqual(sqlParameter.ParameterName,parameterName,StringComparison.Ordinal))
                             {
                                 Debug.Assert(sqlParameter.CipherMetadata == null, "param.CipherMetadata should be null.");
                                 sqlParameter.HasReceivedMetadata = true;
@@ -5457,7 +5457,7 @@ internal void OnReturnValue(SqlReturnValue rec, TdsParserStateObject stateObj)
                 {
                     if (rec.tdsType != TdsEnums.SQLBIGVARBINARY)
                     {
-                        throw SQL.InvalidDataTypeForEncryptedParameter(thisParam.ParameterNameFixed, rec.tdsType, TdsEnums.SQLBIGVARBINARY);
+                        throw SQL.InvalidDataTypeForEncryptedParameter(thisParam.GetPrefixedParameterName(), rec.tdsType, TdsEnums.SQLBIGVARBINARY);
                     }
 
                     // Decrypt the ciphertext
@@ -5487,7 +5487,7 @@ internal void OnReturnValue(SqlReturnValue rec, TdsParserStateObject stateObj)
                         }
                         catch (Exception e)
                         {
-                            throw SQL.ParamDecryptionFailed(thisParam.ParameterNameFixed, null, e);
+                            throw SQL.ParamDecryptionFailed(thisParam.GetPrefixedParameterName(), null, e);
                         }
                     }
                     else
@@ -5628,7 +5628,11 @@ private SqlParameter GetParameterForOutputValueExtraction(SqlParameterCollection
                 {
                     thisParam = parameters[i];
                     // searching for Output or InputOutput or ReturnValue with matching name
-                    if (thisParam.Direction != ParameterDirection.Input && thisParam.Direction != ParameterDirection.ReturnValue && paramName == thisParam.ParameterNameFixed)
+                    if (
+                        thisParam.Direction != ParameterDirection.Input && 
+                        thisParam.Direction != ParameterDirection.ReturnValue && 
+                        SqlParameter.ParameterNamesEqual(paramName, thisParam.ParameterName,StringComparison.Ordinal)
+                    )
                     {
                         foundParam = true;
                         break; // found it
@@ -5999,11 +6003,11 @@ private SqlParameter BuildStoredProcedureStatementForColumnEncryption(string sto
 
             // Find the return value parameter (if any).
             SqlParameter returnValueParameter = null;
-            foreach (SqlParameter parameter in parameters)
+            foreach (SqlParameter param in parameters)
             {
-                if (parameter.Direction == ParameterDirection.ReturnValue)
+                if (param.Direction == ParameterDirection.ReturnValue)
                 {
-                    returnValueParameter = parameter;
+                    returnValueParameter = param;
                     break;
                 }
             }
@@ -6012,7 +6016,8 @@ private SqlParameter BuildStoredProcedureStatementForColumnEncryption(string sto
             // EXEC @returnValue = moduleName [parameters]
             if (returnValueParameter != null)
             {
-                execStatement.AppendFormat(@"{0}=", returnValueParameter.ParameterNameFixed);
+                SqlParameter.AppendPrefixedParameterName(execStatement, returnValueParameter.ParameterName);
+                execStatement.Append('=');
             }
 
             execStatement.Append(ParseAndQuoteIdentifier(storedProcedureName, false));
@@ -6023,6 +6028,7 @@ private SqlParameter BuildStoredProcedureStatementForColumnEncryption(string sto
             // Append the first parameter
             int index = 0;
             int count = parameters.Count;
+            SqlParameter parameter;
             if (count > 0)
             {
                 // Skip the return value parameters.
@@ -6033,15 +6039,19 @@ private SqlParameter BuildStoredProcedureStatementForColumnEncryption(string sto
 
                 if (index < count)
                 {
+                    parameter = parameters[index];
                     // Possibility of a SQL Injection issue through parameter names and how to construct valid identifier for parameters.
                     // Since the parameters comes from application itself, there should not be a security vulnerability.
                     // Also since the query is not executed, but only analyzed there is no possibility for elevation of privilege, but only for
                     // incorrect results which would only affect the user that attempts the injection.
-                    execStatement.AppendFormat(@" {0}={0}", parameters[index].ParameterNameFixed);
+                    execStatement.Append(' ');
+                    SqlParameter.AppendPrefixedParameterName(execStatement, parameter.ParameterName);
+                    execStatement.Append('=');
+                    SqlParameter.AppendPrefixedParameterName(execStatement, parameter.ParameterName);
 
                     // InputOutput and Output parameters need to be marked as such.
-                    if (parameters[index].Direction == ParameterDirection.Output ||
-                        parameters[index].Direction == ParameterDirection.InputOutput)
+                    if (parameter.Direction == ParameterDirection.Output ||
+                        parameter.Direction == ParameterDirection.InputOutput)
                     {
                         execStatement.AppendFormat(@" OUTPUT");
                     }
@@ -6054,14 +6064,18 @@ private SqlParameter BuildStoredProcedureStatementForColumnEncryption(string sto
             // Append the rest of parameters
             for (; index < count; index++)
             {
-                if (parameters[index].Direction != ParameterDirection.ReturnValue)
+                parameter = parameters[index];
+                if (parameter.Direction != ParameterDirection.ReturnValue)
                 {
-                    execStatement.AppendFormat(@", {0}={0}", parameters[index].ParameterNameFixed);
+                    execStatement.Append(", ");
+                    SqlParameter.AppendPrefixedParameterName(execStatement, parameter.ParameterName);
+                    execStatement.Append('=');
+                    SqlParameter.AppendPrefixedParameterName(execStatement, parameter.ParameterName);
 
                     // InputOutput and Output parameters need to be marked as such.
                     if (
-                        parameters[index].Direction == ParameterDirection.Output ||
-                        parameters[index].Direction == ParameterDirection.InputOutput
+                        parameter.Direction == ParameterDirection.Output ||
+                        parameter.Direction == ParameterDirection.InputOutput
                     )
                     {
                         execStatement.AppendFormat(@" OUTPUT");
@@ -6095,9 +6109,11 @@ internal string BuildParamList(TdsParser parser, SqlParameterCollection paramete
 
                 // add our separator for the ith parameter
                 if (fAddSeparator)
+                {
                     paramList.Append(',');
+                }
 
-                paramList.Append(sqlParam.ParameterNameFixed);
+                SqlParameter.AppendPrefixedParameterName(paramList, sqlParam.ParameterName);
 
                 MetaType mt = sqlParam.InternalMetaType;
 
@@ -6120,7 +6136,7 @@ internal string BuildParamList(TdsParser parser, SqlParameterCollection paramete
                     string typeName = sqlParam.TypeName;
                     if (string.IsNullOrEmpty(typeName))
                     {
-                        throw SQL.MustSetTypeNameForParam(mt.TypeName, sqlParam.ParameterNameFixed);
+                        throw SQL.MustSetTypeNameForParam(mt.TypeName, sqlParam.GetPrefixedParameterName());
                     }
                     paramList.Append(ParseAndQuoteIdentifier(typeName, false /* is not UdtTypeName*/));
 
 
@@ -9312,7 +9312,7 @@ private Task TDSExecuteRPCAddParameter(TdsParserStateObject stateObj, SqlParamet
                 }
             }
 
-            WriteParameterName(param.ParameterNameFixed, stateObj, isAnonymous);
+            WriteParameterName(param.ParameterName, stateObj, isAnonymous);
 
             // Write parameter status
             stateObj.WriteByte(options);
@@ -9833,17 +9833,34 @@ private void ExecuteFlushTaskCallback(Task tsk, TdsParserStateObject stateObj, T
             }
         }
 
-
-        private void WriteParameterName(string parameterName, TdsParserStateObject stateObj, bool isAnonymous)
+        /// <summary>
+        /// Will check the parameter name for the required @ prefix and then write the correct prefixed
+        /// form and correct character length to the output buffer
+        /// </summary>
+        private void WriteParameterName(string rawParameterName, TdsParserStateObject stateObj, bool isAnonymous)
         {
             // paramLen
             // paramName
-            if (!isAnonymous && !string.IsNullOrEmpty(parameterName))
+            if (!isAnonymous && !string.IsNullOrEmpty(rawParameterName))
             {
-                Debug.Assert(parameterName.Length <= 0xff, "parameter name can only be 255 bytes, shouldn't get to TdsParser!");
-                int tempLen = parameterName.Length & 0xff;
-                stateObj.WriteByte((byte)tempLen);
-                WriteString(parameterName, tempLen, 0, stateObj);
+                int nameLength = rawParameterName.Length;
+                int totalLength = nameLength;
+                bool writePrefix = false;
+                if (nameLength > 0)
+                {
+                    if (rawParameterName[0] != '@')
+                    {
+                        writePrefix = true;
+                        totalLength += 1;
+                    }
+                }
+                Debug.Assert(totalLength <= 0xff, "parameter name can only be 255 bytes, shouldn't get to TdsParser!");
+                stateObj.WriteByte((byte)(totalLength & 0xFF));
+                if (writePrefix)
+                {
+                    WriteString("@", 1, 0, stateObj);
+                }
+                WriteString(rawParameterName, nameLength, 0, stateObj);
             }
             else
             {
 
@@ -4881,7 +4881,7 @@ private void ReadDescribeEncryptionParameterResults(SqlDataReader ds, ReadOnlyDi
                             SqlParameter sqlParameter = rpc.userParams[index];
                             Debug.Assert(sqlParameter != null, "sqlParameter should not be null.");
 
-                            if (sqlParameter.ParameterNameFixed.Equals(parameterName, StringComparison.Ordinal))
+                            if (SqlParameter.ParameterNamesEqual(sqlParameter.ParameterName, parameterName, StringComparison.Ordinal))
                             {
                                 Debug.Assert(sqlParameter.CipherMetadata == null, "param.CipherMetadata should be null.");
                                 sqlParameter.HasReceivedMetadata = true;
@@ -6239,7 +6239,7 @@ internal void OnReturnValue(SqlReturnValue rec, TdsParserStateObject stateObj)
                 {
                     if (rec.tdsType != TdsEnums.SQLBIGVARBINARY)
                     {
-                        throw SQL.InvalidDataTypeForEncryptedParameter(thisParam.ParameterNameFixed, rec.tdsType, TdsEnums.SQLBIGVARBINARY);
+                        throw SQL.InvalidDataTypeForEncryptedParameter(thisParam.GetPrefixedParameterName(), rec.tdsType, TdsEnums.SQLBIGVARBINARY);
                     }
 
                     // Decrypt the ciphertext
@@ -6269,7 +6269,7 @@ internal void OnReturnValue(SqlReturnValue rec, TdsParserStateObject stateObj)
                         }
                         catch (Exception e)
                         {
-                            throw SQL.ParamDecryptionFailed(thisParam.ParameterNameFixed, null, e);
+                            throw SQL.ParamDecryptionFailed(thisParam.GetPrefixedParameterName(), null, e);
                         }
                     }
                     else
@@ -6462,7 +6462,11 @@ private SqlParameter GetParameterForOutputValueExtraction(SqlParameterCollection
                 {
                     thisParam = parameters[i];
                     // searching for Output or InputOutput or ReturnValue with matching name
-                    if (thisParam.Direction != ParameterDirection.Input && thisParam.Direction != ParameterDirection.ReturnValue && paramName == thisParam.ParameterNameFixed)
+                    if (
+                        thisParam.Direction != ParameterDirection.Input && 
+                        thisParam.Direction != ParameterDirection.ReturnValue && 
+                        SqlParameter.ParameterNamesEqual(paramName, thisParam.ParameterName,StringComparison.Ordinal)
+                    )
                     {
                         foundParam = true;
                         break; // found it
@@ -6850,11 +6854,11 @@ private SqlParameter BuildStoredProcedureStatementForColumnEncryption(string sto
 
             // Find the return value parameter (if any).
             SqlParameter returnValueParameter = null;
-            foreach (SqlParameter parameter in parameters)
+            foreach (SqlParameter param in parameters)
             {
-                if (parameter.Direction == ParameterDirection.ReturnValue)
+                if (param.Direction == ParameterDirection.ReturnValue)
                 {
-                    returnValueParameter = parameter;
+                    returnValueParameter = param;
                     break;
                 }
             }
@@ -6863,7 +6867,8 @@ private SqlParameter BuildStoredProcedureStatementForColumnEncryption(string sto
             // EXEC @returnValue = moduleName [parameters]
             if (returnValueParameter != null)
             {
-                execStatement.AppendFormat(@"{0}=", returnValueParameter.ParameterNameFixed);
+                SqlParameter.AppendPrefixedParameterName(execStatement, returnValueParameter.ParameterName);
+                execStatement.Append('=');
             }
 
             execStatement.Append(ParseAndQuoteIdentifier(storedProcedureName, false));
@@ -6874,6 +6879,7 @@ private SqlParameter BuildStoredProcedureStatementForColumnEncryption(string sto
             // Append the first parameter
             int index = 0;
             int count = parameters.Count;
+            SqlParameter parameter;
             if (count > 0)
             {
                 // Skip the return value parameters.
@@ -6884,16 +6890,20 @@ private SqlParameter BuildStoredProcedureStatementForColumnEncryption(string sto
 
                 if (index < count)
                 {
+                    parameter = parameters[index];
                     // Possibility of a SQL Injection issue through parameter names and how to construct valid identifier for parameters.
                     // Since the parameters comes from application itself, there should not be a security vulnerability.
                     // Also since the query is not executed, but only analyzed there is no possibility for elevation of priviledge, but only for 
                     // incorrect results which would only affect the user that attempts the injection.
-                    execStatement.AppendFormat(@" {0}={0}", parameters[index].ParameterNameFixed);
+                    execStatement.Append(' ');
+                    SqlParameter.AppendPrefixedParameterName(execStatement, parameter.ParameterName);
+                    execStatement.Append('=');
+                    SqlParameter.AppendPrefixedParameterName(execStatement, parameter.ParameterName);
 
                     // InputOutput and Output parameters need to be marked as such.
                     if (
-                        parameters[index].Direction == ParameterDirection.Output ||
-                        parameters[index].Direction == ParameterDirection.InputOutput
+                        parameter.Direction == ParameterDirection.Output ||
+                        parameter.Direction == ParameterDirection.InputOutput
                     )
                     {
                         execStatement.AppendFormat(@" OUTPUT");
@@ -6907,14 +6917,18 @@ private SqlParameter BuildStoredProcedureStatementForColumnEncryption(string sto
             // Append the rest of parameters
             for (; index < count; index++)
             {
-                if (parameters[index].Direction != ParameterDirection.ReturnValue)
+                parameter = parameters[index];
+                if (parameter.Direction != ParameterDirection.ReturnValue)
                 {
-                    execStatement.AppendFormat(@", {0}={0}", parameters[index].ParameterNameFixed);
+                    execStatement.Append(", ");
+                    SqlParameter.AppendPrefixedParameterName(execStatement, parameter.ParameterName);
+                    execStatement.Append('=');
+                    SqlParameter.AppendPrefixedParameterName(execStatement, parameter.ParameterName);
 
                     // InputOutput and Output parameters need to be marked as such.
                     if (
-                        parameters[index].Direction == ParameterDirection.Output ||
-                        parameters[index].Direction == ParameterDirection.InputOutput
+                        parameter.Direction == ParameterDirection.Output ||
+                        parameter.Direction == ParameterDirection.InputOutput
                     )
                     {
                         execStatement.AppendFormat(@" OUTPUT");
@@ -6946,9 +6960,10 @@ internal string BuildParamList(TdsParser parser, SqlParameterCollection paramete
 
                 // add our separator for the ith parameter
                 if (fAddSeparator)
+                {
                     paramList.Append(',');
-
-                paramList.Append(sqlParam.ParameterNameFixed);
+                }
+                SqlParameter.AppendPrefixedParameterName(paramList, sqlParam.ParameterName);
 
                 MetaType mt = sqlParam.InternalMetaType;
 
@@ -6957,7 +6972,7 @@ internal string BuildParamList(TdsParser parser, SqlParameterCollection paramete
 
                 // paragraph above doesn't seem to be correct. Server won't find the type
                 // if we don't provide a fully qualified name
-                paramList.Append(" ");
+                paramList.Append(' ');
                 if (mt.SqlDbType == SqlDbType.Udt)
                 {
                     string fullTypeName = sqlParam.UdtTypeName;
@@ -6971,7 +6986,7 @@ internal string BuildParamList(TdsParser parser, SqlParameterCollection paramete
                     string typeName = sqlParam.TypeName;
                     if (ADP.IsEmpty(typeName))
                     {
-                        throw SQL.MustSetTypeNameForParam(mt.TypeName, sqlParam.ParameterNameFixed);
+                        throw SQL.MustSetTypeNameForParam(mt.TypeName, sqlParam.GetPrefixedParameterName());
                     }
                     paramList.Append(ParseAndQuoteIdentifier(typeName, false /* is not UdtTypeName*/));
Original file line number	Diff line number	Diff line change
`@@ -4363,7 +4363,7 @@ private void ReadDescribeEncryptionParameterResults(SqlDataReader ds, ReadOnlyDi`
`4363`	`4363`	`SqlParameter sqlParameter = rpc.userParams[index];`
`4364`	`4364`	`Debug.Assert(sqlParameter != null, "sqlParameter should not be null.");`
`4365`	`4365`
`4366`		`- if (sqlParameter.ParameterNameFixed.Equals(parameterName, StringComparison.Ordinal))`
	`4366`	`+ if (SqlParameter.ParameterNamesEqual(sqlParameter.ParameterName,parameterName,StringComparison.Ordinal))`
`4367`	`4367`	`{`
`4368`	`4368`	`Debug.Assert(sqlParameter.CipherMetadata == null, "param.CipherMetadata should be null.");`
`4369`	`4369`	`sqlParameter.HasReceivedMetadata = true;`
`@@ -5457,7 +5457,7 @@ internal void OnReturnValue(SqlReturnValue rec, TdsParserStateObject stateObj)`
`5457`	`5457`	`{`
`5458`	`5458`	`if (rec.tdsType != TdsEnums.SQLBIGVARBINARY)`
`5459`	`5459`	`{`
`5460`		`- throw SQL.InvalidDataTypeForEncryptedParameter(thisParam.ParameterNameFixed, rec.tdsType, TdsEnums.SQLBIGVARBINARY);`
	`5460`	`+ throw SQL.InvalidDataTypeForEncryptedParameter(thisParam.GetPrefixedParameterName(), rec.tdsType, TdsEnums.SQLBIGVARBINARY);`
`5461`	`5461`	`}`
`5462`	`5462`
`5463`	`5463`	`// Decrypt the ciphertext`
`@@ -5487,7 +5487,7 @@ internal void OnReturnValue(SqlReturnValue rec, TdsParserStateObject stateObj)`
`5487`	`5487`	`}`
`5488`	`5488`	`catch (Exception e)`
`5489`	`5489`	`{`
`5490`		`- throw SQL.ParamDecryptionFailed(thisParam.ParameterNameFixed, null, e);`
	`5490`	`+ throw SQL.ParamDecryptionFailed(thisParam.GetPrefixedParameterName(), null, e);`
`5491`	`5491`	`}`
`5492`	`5492`	`}`
`5493`	`5493`	`else`
`@@ -5628,7 +5628,11 @@ private SqlParameter GetParameterForOutputValueExtraction(SqlParameterCollection`
`5628`	`5628`	`{`
`5629`	`5629`	`thisParam = parameters[i];`
`5630`	`5630`	`// searching for Output or InputOutput or ReturnValue with matching name`
`5631`		`- if (thisParam.Direction != ParameterDirection.Input && thisParam.Direction != ParameterDirection.ReturnValue && paramName == thisParam.ParameterNameFixed)`
	`5631`	`+ if (`
	`5632`	`+ thisParam.Direction != ParameterDirection.Input &&`
	`5633`	`+ thisParam.Direction != ParameterDirection.ReturnValue &&`
	`5634`	`+ SqlParameter.ParameterNamesEqual(paramName, thisParam.ParameterName,StringComparison.Ordinal)`
	`5635`	`+ )`
`5632`	`5636`	`{`
`5633`	`5637`	`foundParam = true;`
`5634`	`5638`	`break; // found it`
`@@ -5999,11 +6003,11 @@ private SqlParameter BuildStoredProcedureStatementForColumnEncryption(string sto`
`5999`	`6003`
`6000`	`6004`	`// Find the return value parameter (if any).`
`6001`	`6005`	`SqlParameter returnValueParameter = null;`
`6002`		`- foreach (SqlParameter parameter in parameters)`
	`6006`	`+ foreach (SqlParameter param in parameters)`
`6003`	`6007`	`{`
`6004`		`- if (parameter.Direction == ParameterDirection.ReturnValue)`
	`6008`	`+ if (param.Direction == ParameterDirection.ReturnValue)`
`6005`	`6009`	`{`
`6006`		`- returnValueParameter = parameter;`
	`6010`	`+ returnValueParameter = param;`
`6007`	`6011`	`break;`
`6008`	`6012`	`}`
`6009`	`6013`	`}`
`@@ -6012,7 +6016,8 @@ private SqlParameter BuildStoredProcedureStatementForColumnEncryption(string sto`
`6012`	`6016`	`// EXEC @returnValue = moduleName [parameters]`
`6013`	`6017`	`if (returnValueParameter != null)`
`6014`	`6018`	`{`
`6015`		`- execStatement.AppendFormat(@"{0}=", returnValueParameter.ParameterNameFixed);`
	`6019`	`+ SqlParameter.AppendPrefixedParameterName(execStatement, returnValueParameter.ParameterName);`
	`6020`	`+ execStatement.Append('=');`
`6016`	`6021`	`}`
`6017`	`6022`
`6018`	`6023`	`execStatement.Append(ParseAndQuoteIdentifier(storedProcedureName, false));`
`@@ -6023,6 +6028,7 @@ private SqlParameter BuildStoredProcedureStatementForColumnEncryption(string sto`
`6023`	`6028`	`// Append the first parameter`
`6024`	`6029`	`int index = 0;`
`6025`	`6030`	`int count = parameters.Count;`
	`6031`	`+ SqlParameter parameter;`
`6026`	`6032`	`if (count > 0)`
`6027`	`6033`	`{`
`6028`	`6034`	`// Skip the return value parameters.`
`@@ -6033,15 +6039,19 @@ private SqlParameter BuildStoredProcedureStatementForColumnEncryption(string sto`
`6033`	`6039`
`6034`	`6040`	`if (index < count)`
`6035`	`6041`	`{`
	`6042`	`+ parameter = parameters[index];`
`6036`	`6043`	`// Possibility of a SQL Injection issue through parameter names and how to construct valid identifier for parameters.`
`6037`	`6044`	`// Since the parameters comes from application itself, there should not be a security vulnerability.`
`6038`	`6045`	`// Also since the query is not executed, but only analyzed there is no possibility for elevation of privilege, but only for`
`6039`	`6046`	`// incorrect results which would only affect the user that attempts the injection.`
`6040`		`- execStatement.AppendFormat(@" {0}={0}", parameters[index].ParameterNameFixed);`
	`6047`	`+ execStatement.Append(' ');`
	`6048`	`+ SqlParameter.AppendPrefixedParameterName(execStatement, parameter.ParameterName);`
	`6049`	`+ execStatement.Append('=');`
	`6050`	`+ SqlParameter.AppendPrefixedParameterName(execStatement, parameter.ParameterName);`
`6041`	`6051`
`6042`	`6052`	`// InputOutput and Output parameters need to be marked as such.`
`6043`		`- if (parameters[index].Direction == ParameterDirection.Output \|\|`
`6044`		`- parameters[index].Direction == ParameterDirection.InputOutput)`
	`6053`	`+ if (parameter.Direction == ParameterDirection.Output \|\|`
	`6054`	`+ parameter.Direction == ParameterDirection.InputOutput)`
`6045`	`6055`	`{`
`6046`	`6056`	`execStatement.AppendFormat(@" OUTPUT");`
`6047`	`6057`	`}`
`@@ -6054,14 +6064,18 @@ private SqlParameter BuildStoredProcedureStatementForColumnEncryption(string sto`
`6054`	`6064`	`// Append the rest of parameters`
`6055`	`6065`	`for (; index < count; index++)`
`6056`	`6066`	`{`
`6057`		`- if (parameters[index].Direction != ParameterDirection.ReturnValue)`
	`6067`	`+ parameter = parameters[index];`
	`6068`	`+ if (parameter.Direction != ParameterDirection.ReturnValue)`
`6058`	`6069`	`{`
`6059`		`- execStatement.AppendFormat(@", {0}={0}", parameters[index].ParameterNameFixed);`
	`6070`	`+ execStatement.Append(", ");`
	`6071`	`+ SqlParameter.AppendPrefixedParameterName(execStatement, parameter.ParameterName);`
	`6072`	`+ execStatement.Append('=');`
	`6073`	`+ SqlParameter.AppendPrefixedParameterName(execStatement, parameter.ParameterName);`
`6060`	`6074`
`6061`	`6075`	`// InputOutput and Output parameters need to be marked as such.`
`6062`	`6076`	`if (`
`6063`		`- parameters[index].Direction == ParameterDirection.Output \|\|`
`6064`		`- parameters[index].Direction == ParameterDirection.InputOutput`
	`6077`	`+ parameter.Direction == ParameterDirection.Output \|\|`
	`6078`	`+ parameter.Direction == ParameterDirection.InputOutput`
`6065`	`6079`	`)`
`6066`	`6080`	`{`
`6067`	`6081`	`execStatement.AppendFormat(@" OUTPUT");`
`@@ -6095,9 +6109,11 @@ internal string BuildParamList(TdsParser parser, SqlParameterCollection paramete`
`6095`	`6109`
`6096`	`6110`	`// add our separator for the ith parameter`
`6097`	`6111`	`if (fAddSeparator)`
	`6112`	`+ {`
`6098`	`6113`	`paramList.Append(',');`
	`6114`	`+ }`
`6099`	`6115`
`6100`		`- paramList.Append(sqlParam.ParameterNameFixed);`
	`6116`	`+ SqlParameter.AppendPrefixedParameterName(paramList, sqlParam.ParameterName);`
`6101`	`6117`
`6102`	`6118`	`MetaType mt = sqlParam.InternalMetaType;`
`6103`	`6119`
`@@ -6120,7 +6136,7 @@ internal string BuildParamList(TdsParser parser, SqlParameterCollection paramete`
`6120`	`6136`	`string typeName = sqlParam.TypeName;`
`6121`	`6137`	`if (string.IsNullOrEmpty(typeName))`
`6122`	`6138`	`{`
`6123`		`- throw SQL.MustSetTypeNameForParam(mt.TypeName, sqlParam.ParameterNameFixed);`
	`6139`	`+ throw SQL.MustSetTypeNameForParam(mt.TypeName, sqlParam.GetPrefixedParameterName());`
`6124`	`6140`	`}`
`6125`	`6141`	`paramList.Append(ParseAndQuoteIdentifier(typeName, false /* is not UdtTypeName*/));`
`6126`	`6142`
Original file line number	Diff line number	Diff line change
`@@ -4881,7 +4881,7 @@ private void ReadDescribeEncryptionParameterResults(SqlDataReader ds, ReadOnlyDi`
`4881`	`4881`	`SqlParameter sqlParameter = rpc.userParams[index];`
`4882`	`4882`	`Debug.Assert(sqlParameter != null, "sqlParameter should not be null.");`
`4883`	`4883`
`4884`		`- if (sqlParameter.ParameterNameFixed.Equals(parameterName, StringComparison.Ordinal))`
	`4884`	`+ if (SqlParameter.ParameterNamesEqual(sqlParameter.ParameterName, parameterName, StringComparison.Ordinal))`
`4885`	`4885`	`{`
`4886`	`4886`	`Debug.Assert(sqlParameter.CipherMetadata == null, "param.CipherMetadata should be null.");`
`4887`	`4887`	`sqlParameter.HasReceivedMetadata = true;`
`@@ -6239,7 +6239,7 @@ internal void OnReturnValue(SqlReturnValue rec, TdsParserStateObject stateObj)`
`6239`	`6239`	`{`
`6240`	`6240`	`if (rec.tdsType != TdsEnums.SQLBIGVARBINARY)`
`6241`	`6241`	`{`
`6242`		`- throw SQL.InvalidDataTypeForEncryptedParameter(thisParam.ParameterNameFixed, rec.tdsType, TdsEnums.SQLBIGVARBINARY);`
	`6242`	`+ throw SQL.InvalidDataTypeForEncryptedParameter(thisParam.GetPrefixedParameterName(), rec.tdsType, TdsEnums.SQLBIGVARBINARY);`
`6243`	`6243`	`}`
`6244`	`6244`
`6245`	`6245`	`// Decrypt the ciphertext`
`@@ -6269,7 +6269,7 @@ internal void OnReturnValue(SqlReturnValue rec, TdsParserStateObject stateObj)`
`6269`	`6269`	`}`
`6270`	`6270`	`catch (Exception e)`
`6271`	`6271`	`{`
`6272`		`- throw SQL.ParamDecryptionFailed(thisParam.ParameterNameFixed, null, e);`
	`6272`	`+ throw SQL.ParamDecryptionFailed(thisParam.GetPrefixedParameterName(), null, e);`
`6273`	`6273`	`}`
`6274`	`6274`	`}`
`6275`	`6275`	`else`
`@@ -6462,7 +6462,11 @@ private SqlParameter GetParameterForOutputValueExtraction(SqlParameterCollection`
`6462`	`6462`	`{`
`6463`	`6463`	`thisParam = parameters[i];`
`6464`	`6464`	`// searching for Output or InputOutput or ReturnValue with matching name`
`6465`		`- if (thisParam.Direction != ParameterDirection.Input && thisParam.Direction != ParameterDirection.ReturnValue && paramName == thisParam.ParameterNameFixed)`
	`6465`	`+ if (`
	`6466`	`+ thisParam.Direction != ParameterDirection.Input &&`
	`6467`	`+ thisParam.Direction != ParameterDirection.ReturnValue &&`
	`6468`	`+ SqlParameter.ParameterNamesEqual(paramName, thisParam.ParameterName,StringComparison.Ordinal)`
	`6469`	`+ )`
`6466`	`6470`	`{`
`6467`	`6471`	`foundParam = true;`
`6468`	`6472`	`break; // found it`
`@@ -6850,11 +6854,11 @@ private SqlParameter BuildStoredProcedureStatementForColumnEncryption(string sto`
`6850`	`6854`
`6851`	`6855`	`// Find the return value parameter (if any).`
`6852`	`6856`	`SqlParameter returnValueParameter = null;`
`6853`		`- foreach (SqlParameter parameter in parameters)`
	`6857`	`+ foreach (SqlParameter param in parameters)`
`6854`	`6858`	`{`
`6855`		`- if (parameter.Direction == ParameterDirection.ReturnValue)`
	`6859`	`+ if (param.Direction == ParameterDirection.ReturnValue)`
`6856`	`6860`	`{`
`6857`		`- returnValueParameter = parameter;`
	`6861`	`+ returnValueParameter = param;`
`6858`	`6862`	`break;`
`6859`	`6863`	`}`
`6860`	`6864`	`}`
`@@ -6863,7 +6867,8 @@ private SqlParameter BuildStoredProcedureStatementForColumnEncryption(string sto`
`6863`	`6867`	`// EXEC @returnValue = moduleName [parameters]`
`6864`	`6868`	`if (returnValueParameter != null)`
`6865`	`6869`	`{`
`6866`		`- execStatement.AppendFormat(@"{0}=", returnValueParameter.ParameterNameFixed);`
	`6870`	`+ SqlParameter.AppendPrefixedParameterName(execStatement, returnValueParameter.ParameterName);`
	`6871`	`+ execStatement.Append('=');`
`6867`	`6872`	`}`
`6868`	`6873`
`6869`	`6874`	`execStatement.Append(ParseAndQuoteIdentifier(storedProcedureName, false));`
`@@ -6874,6 +6879,7 @@ private SqlParameter BuildStoredProcedureStatementForColumnEncryption(string sto`
`6874`	`6879`	`// Append the first parameter`
`6875`	`6880`	`int index = 0;`
`6876`	`6881`	`int count = parameters.Count;`
	`6882`	`+ SqlParameter parameter;`
`6877`	`6883`	`if (count > 0)`
`6878`	`6884`	`{`
`6879`	`6885`	`// Skip the return value parameters.`
`@@ -6884,16 +6890,20 @@ private SqlParameter BuildStoredProcedureStatementForColumnEncryption(string sto`
`6884`	`6890`
`6885`	`6891`	`if (index < count)`
`6886`	`6892`	`{`
	`6893`	`+ parameter = parameters[index];`
`6887`	`6894`	`// Possibility of a SQL Injection issue through parameter names and how to construct valid identifier for parameters.`
`6888`	`6895`	`// Since the parameters comes from application itself, there should not be a security vulnerability.`
`6889`	`6896`	`// Also since the query is not executed, but only analyzed there is no possibility for elevation of priviledge, but only for`
`6890`	`6897`	`// incorrect results which would only affect the user that attempts the injection.`
`6891`		`- execStatement.AppendFormat(@" {0}={0}", parameters[index].ParameterNameFixed);`
	`6898`	`+ execStatement.Append(' ');`
	`6899`	`+ SqlParameter.AppendPrefixedParameterName(execStatement, parameter.ParameterName);`
	`6900`	`+ execStatement.Append('=');`
	`6901`	`+ SqlParameter.AppendPrefixedParameterName(execStatement, parameter.ParameterName);`
`6892`	`6902`
`6893`	`6903`	`// InputOutput and Output parameters need to be marked as such.`
`6894`	`6904`	`if (`
`6895`		`- parameters[index].Direction == ParameterDirection.Output \|\|`
`6896`		`- parameters[index].Direction == ParameterDirection.InputOutput`
	`6905`	`+ parameter.Direction == ParameterDirection.Output \|\|`
	`6906`	`+ parameter.Direction == ParameterDirection.InputOutput`
`6897`	`6907`	`)`
`6898`	`6908`	`{`
`6899`	`6909`	`execStatement.AppendFormat(@" OUTPUT");`
`@@ -6907,14 +6917,18 @@ private SqlParameter BuildStoredProcedureStatementForColumnEncryption(string sto`
`6907`	`6917`	`// Append the rest of parameters`
`6908`	`6918`	`for (; index < count; index++)`
`6909`	`6919`	`{`
`6910`		`- if (parameters[index].Direction != ParameterDirection.ReturnValue)`
	`6920`	`+ parameter = parameters[index];`
	`6921`	`+ if (parameter.Direction != ParameterDirection.ReturnValue)`
`6911`	`6922`	`{`
`6912`		`- execStatement.AppendFormat(@", {0}={0}", parameters[index].ParameterNameFixed);`
	`6923`	`+ execStatement.Append(", ");`
	`6924`	`+ SqlParameter.AppendPrefixedParameterName(execStatement, parameter.ParameterName);`
	`6925`	`+ execStatement.Append('=');`
	`6926`	`+ SqlParameter.AppendPrefixedParameterName(execStatement, parameter.ParameterName);`
`6913`	`6927`
`6914`	`6928`	`// InputOutput and Output parameters need to be marked as such.`
`6915`	`6929`	`if (`
`6916`		`- parameters[index].Direction == ParameterDirection.Output \|\|`
`6917`		`- parameters[index].Direction == ParameterDirection.InputOutput`
	`6930`	`+ parameter.Direction == ParameterDirection.Output \|\|`
	`6931`	`+ parameter.Direction == ParameterDirection.InputOutput`
`6918`	`6932`	`)`
`6919`	`6933`	`{`
`6920`	`6934`	`execStatement.AppendFormat(@" OUTPUT");`
`@@ -6946,9 +6960,10 @@ internal string BuildParamList(TdsParser parser, SqlParameterCollection paramete`
`6946`	`6960`
`6947`	`6961`	`// add our separator for the ith parameter`
`6948`	`6962`	`if (fAddSeparator)`
	`6963`	`+ {`
`6949`	`6964`	`paramList.Append(',');`
`6950`		`-`
`6951`		`- paramList.Append(sqlParam.ParameterNameFixed);`
	`6965`	`+ }`
	`6966`	`+ SqlParameter.AppendPrefixedParameterName(paramList, sqlParam.ParameterName);`
`6952`	`6967`
`6953`	`6968`	`MetaType mt = sqlParam.InternalMetaType;`
`6954`	`6969`
`@@ -6957,7 +6972,7 @@ internal string BuildParamList(TdsParser parser, SqlParameterCollection paramete`
`6957`	`6972`
`6958`	`6973`	`// paragraph above doesn't seem to be correct. Server won't find the type`
`6959`	`6974`	`// if we don't provide a fully qualified name`
`6960`		`- paramList.Append(" ");`
	`6975`	`+ paramList.Append(' ');`
`6961`	`6976`	`if (mt.SqlDbType == SqlDbType.Udt)`
`6962`	`6977`	`{`
`6963`	`6978`	`string fullTypeName = sqlParam.UdtTypeName;`
`@@ -6971,7 +6986,7 @@ internal string BuildParamList(TdsParser parser, SqlParameterCollection paramete`
`6971`	`6986`	`string typeName = sqlParam.TypeName;`
`6972`	`6987`	`if (ADP.IsEmpty(typeName))`
`6973`	`6988`	`{`
`6974`		`- throw SQL.MustSetTypeNameForParam(mt.TypeName, sqlParam.ParameterNameFixed);`
	`6989`	`+ throw SQL.MustSetTypeNameForParam(mt.TypeName, sqlParam.GetPrefixedParameterName());`
`6975`	`6990`	`}`
`6976`	`6991`	`paramList.Append(ParseAndQuoteIdentifier(typeName, false /* is not UdtTypeName*/));`
`6977`	`6992`