C Sharp Unsanitized Input In Sql
Description
Detects potential SQL injection vulnerabilities in C# applications by identifying unsanitized user input flowing into database query execution methods. These vulnerabilities could allow attackers to manipulate SQL queries through user-controlled input, potentially leading to unauthorized data access or manipulation of the database.
Detection Strategy
• Identifies calls to database execution methods like ExecuteNonQuery, ExecuteScalar, and their async variants
• Checks if any database query parameters or connections contain user-controlled input without proper sanitization
• Reports a vulnerability when user-supplied data flows directly into database execution methods without adequate validation or parameterization
• Specifically monitors parameters and connections containing terms like 'user_parameters', 'user_connection', or 'db_connection' for potential injection points
Vulnerable code example
using System.Data.SqlClient;
using System.Web;
public class VulnerableExample
{
public void ProcessUser(HttpRequest request)
{
using (SqlConnection conn = new SqlConnection("connection_string"))...✅ Secure code example
using System.Data.SqlClient;
using System.Web;
public class SecureExample
{
public void ProcessUser(HttpRequest request)
{
using (SqlConnection conn = new SqlConnection("connection_string"))...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.