SQL injection Flaw(Veracode )

Posted by Skulkarni33 under .NET Framework on 6/12/2015 | Points: 10 | Views : 3474 | Status : [Member] | Replies : 1

Write New Post |

Search Forums | Answered

Resolved Posts |

Un Answered Posts |

Forums Home

Hi Team,
After veracode scanning(static and dynamic),i got SQL injection flaw for perticular line(ret = cmd.ExecuteNonQuery).Please find below code and assist how to fix the flaw..

string connectionString = ConfigurationSettings.AppSettings["ConnectionString"];
SqlConnection conn = new SqlConnection(connectionString);
try
{
SqlCommand cmd = new SqlCommand(strQuery, conn);
conn.Open();
ret = cmd.ExecuteNonQuery();
}
finally
{
if(conn != null)
{
conn.Close();
conn.Dispose();
}
}
return ret;

Reply | Reply with Attachment

Alert Moderator

Responses

Posted by: Sheonarayan on: 6/12/2015 [Administrator] HonoraryPlatinum | Points: 25

0	SQL injection is possible only when you are concatenating the sql statement with the input coming from user. To avoid it completely, use parameterized SQL statements or Entity Framework. Read this article on dotnetfunda.com that described what is sql injection and how to avoid it http://www.dotnetfunda.com/articles/show/2400/prevent-sql-injection-in-csharp. Thanks Regards, Sheo Narayan http://www.dotnetfunda.com Skulkarni33, if this helps please login to Mark As Answer. \| Alert Moderator

SQL injection is possible only when you are concatenating the sql statement with the input coming from user. To avoid it completely, use parameterized SQL statements or Entity Framework.

Read this article on dotnetfunda.com that described what is sql injection and how to avoid it http://www.dotnetfunda.com/articles/show/2400/prevent-sql-injection-in-csharp.

Thanks

Regards,
Sheo Narayan
http://www.dotnetfunda.com

Skulkarni33, if this helps please login to Mark As Answer. | Alert Moderator

Latest Posts