SQL injection Flaw(Veracode )

Posted by Skulkarni33 under .NET Framework on 6/12/2015 | Points: 10 | Views : 846 | Status : [Member] | Replies : 1
Hi Team,
After veracode scanning(static and dynamic),i got SQL injection flaw for perticular line(ret = cmd.ExecuteNonQuery).Please find below code and assist how to fix the flaw..

string connectionString = ConfigurationSettings.AppSettings["ConnectionString"];
SqlConnection conn = new SqlConnection(connectionString);
try
{
SqlCommand cmd = new SqlCommand(strQuery, conn);
conn.Open();
ret = cmd.ExecuteNonQuery();
}
finally
{
if(conn != null)
{
conn.Close();
conn.Dispose();
}
}
return ret;




Responses

Posted by: Sheonarayan on: 6/12/2015 [Administrator] HonoraryPlatinum | Points: 25

Up
0
Down
SQL injection is possible only when you are concatenating the sql statement with the input coming from user. To avoid it completely, use parameterized SQL statements or Entity Framework.

Read this article on dotnetfunda.com that described what is sql injection and how to avoid it http://www.dotnetfunda.com/articles/show/2400/prevent-sql-injection-in-csharp.

Thanks

Regards,
Sheo Narayan
http://www.dotnetfunda.com

Skulkarni33, if this helps please login to Mark As Answer. | Alert Moderator

Login to post response