in Components Contrib do not sanitize the queries before executing them which could lead to sql injection attacks in case the user passes untrusted input from the application to Dapr. In fact, if an attacker 333 83fb6ad4/bindings/mysql/mysql.go#L136, they have essentially succeeded in executing an SQL injection, since the SQL string is not sanitized: https://github.com/dapr/components-contrib/blob/cfbac4