Review code for SQL injection vulnerabilities
Review code for SQL injection vulnerabilities
Microsoft docsDescription
When working with untrusted input and SQL commands, be mindful of SQL injection attacks. An SQL injection attack can execute malicious SQL commands, compromising the security and integrity of your application. Typical techniques include using a single quotation mark or apostrophe for delimiting literal strings, two dashes for a comment, and a semicolon for the end of a statement. For more information, see SQL Injection.
This rule attempts to find input from HTTP requests reaching an SQL command's text. This rule can't track data across assemblies. For example, if one assembly reads the HTTP request input and then passes it to another assembly that executes the SQL command, this rule won't produce a warning. There is a configurable limit to how deep this rule will analyze data flow across method calls. See Analyzer Configuration for how to configure the limit in an EditorConfig file.
Cause
Potentially untrusted HTTP request input reaches an SQL command's text.
By default, this rule analyzes the entire codebase, but this is configurable.
How to fix violations
Use parameterized SQL commands, or stored procedures, with parameters containing the untrusted input.
Example
using System;
using System.Data;
using System.Data.SqlClient;
namespace TestNamespace
{
public partial class WebForm : System.Web.UI.Page
{
public static string ConnectionString { get; set; }
protected void Page_Load(object sender, EventArgs e)
{
string name = Request.Form["product_name"];
using (SqlConnection connection = new SqlConnection(ConnectionString))
{
SqlCommand sqlCommand = new SqlCommand()
{
CommandText = "SELECT ProductId FROM Products WHERE ProductName = '" + name + "'",
CommandType = CommandType.Text,
};
SqlDataReader reader = sqlCommand.ExecuteReader();
}
}
}
}
using System;
using System.Data;
using System.Data.SqlClient;
namespace TestNamespace
{
public partial class WebForm : System.Web.UI.Page
{
public static string ConnectionString { get; set; }
protected void Page_Load(object sender, EventArgs e)
{
string name = Request.Form["product_name"];
using (SqlConnection connection = new SqlConnection(ConnectionString))
{
SqlCommand sqlCommand = new SqlCommand()
{
CommandText = "SELECT ProductId FROM Products WHERE ProductName = @productName",
CommandType = CommandType.Text,
};
sqlCommand.Parameters.Add("@productName", SqlDbType.NVarChar, 128).Value = name;
SqlDataReader reader = sqlCommand.ExecuteReader();
}
}
}
}
using System;
using System.Data;
using System.Data.SqlClient;
namespace TestNamespace
{
public partial class WebForm : System.Web.UI.Page
{
public static string ConnectionString { get; set; }
protected void Page_Load(object sender, EventArgs e)
{
string name = Request.Form["product_name"];
using (SqlConnection connection = new SqlConnection(ConnectionString))
{
SqlCommand sqlCommand = new SqlCommand()
{
CommandText = "sp_GetProductIdFromName",
CommandType = CommandType.StoredProcedure,
};
sqlCommand.Parameters.Add("@productName", SqlDbType.NVarChar, 128).Value = name;
SqlDataReader reader = sqlCommand.ExecuteReader();
}
}
}
}When to suppress
It's safe to suppress a warning from this rule if you know that the input is always validated against a known safe set of characters.