Rule Wars
All rules
CA2100Security Enabled by default: No MS default: Warning

Review SQL queries for security vulnerabilities

Avoid building SQL command text from untrusted input.

Microsoft docs

Description

Flags SQL command text built via string concatenation, which is a SQL-injection risk. Use parameterized queries instead.

Cause

A method sets the System.Data.IDbCommand.CommandText property by using a string that's built from a string argument to the method.

By default, this rule analyzes the entire codebase, but this is configurable.

Why it matters

String-concatenated SQL is the classic SQL-injection vector and can expose or destroy data.

How to fix violations

To fix a violation of this rule, use a parameterized query.

Examples

Avoid 
cmd.CommandText = "SELECT * FROM Users WHERE Name = '" + name + "'";
Prefer 
cmd.CommandText = "SELECT * FROM Users WHERE Name = @name";
cmd.Parameters.AddWithValue("@name", name);

When to suppress

It's safe to suppress a warning from this rule if the command text does not contain any user input.

Your vote
Join a group to vote
Group results
0 yes 0 no
ConsensusNone (disabled)
Severity preference (yes voters)
Suggestion0
Warning0
Error0