Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the below c

Posted by Priyankaarava under C# on 10/10/2017 | Points: 10 | Views : 281 | Status : [Member] | Replies : 0
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the below code snippet .




if (dbTrans == null) dbConn.Open();
switch (provider)
{
case DbProvider.ODBC:
log.Info("odbc inside");
DbCommand odbcCmd = new OdbcCommand();
odbcCmd.Connection = dbConn;
odbcCmd.CommandText = sqlStatement;
odbcCmd.CommandType = sqlType;
odbcCmd.Transaction = dbTrans;
odbcCmd.CommandTimeout = queryTimeOut;
PopulateCmdParameters(odbcCmd.Parameters);
result = odbcCmd.ExecuteScalar();
break;
case DbProvider.OLE:
log.Info("OLE inside");
DbCommand oleCmd = new OleDbCommand();
oleCmd.Connection = dbConn;
oleCmd.CommandText = sqlStatement;
oleCmd.CommandType = sqlType;
oleCmd.Transaction = dbTrans;
oleCmd.CommandTimeout = queryTimeOut;
PopulateCmdParameters(oleCmd.Parameters);
result = oleCmd.ExecuteScalar();
break;




Responses

(No response found.)

Login to post response