From 5e2fc8b0dc6acb0fdd1c77c08452b16d1af67445 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 18 Oct 2025 20:33:47 +0000
Subject: [PATCH] Fix SQL injection in SqlConnectionsSaver UpdateUpdatesTable
 method

Co-authored-by: Kvarkas <3611964+Kvarkas@users.noreply.github.com>
---
 mRemoteNG/Config/Connections/SqlConnectionsSaver.cs | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/mRemoteNG/Config/Connections/SqlConnectionsSaver.cs b/mRemoteNG/Config/Connections/SqlConnectionsSaver.cs
index 8dc8a2877..955708f5a 100644
--- a/mRemoteNG/Config/Connections/SqlConnectionsSaver.cs
+++ b/mRemoteNG/Config/Connections/SqlConnectionsSaver.cs
@@ -168,7 +168,13 @@ namespace mRemoteNG.Config.Connections
             // TODO: use transaction
             System.Data.Common.DbCommand dbQuery = databaseConnector.DbCommand("TRUNCATE TABLE tblUpdate");
             dbQuery.ExecuteNonQuery();
-            dbQuery = databaseConnector.DbCommand("INSERT INTO tblUpdate (LastUpdate) VALUES('" + MiscTools.DBDate(DateTime.Now.ToUniversalTime()) + "')");
+            dbQuery = databaseConnector.DbCommand("INSERT INTO tblUpdate (LastUpdate) VALUES(@LastUpdate)");
+            
+            DbParameter lastUpdateParam = dbQuery.CreateParameter();
+            lastUpdateParam.ParameterName = "@LastUpdate";
+            lastUpdateParam.Value = MiscTools.DBTimeStampNow();
+            dbQuery.Parameters.Add(lastUpdateParam);
+            
             dbQuery.ExecuteNonQuery();
         }