C Sharp Raw Sql With User Input
Description
Detects SQL injection vulnerabilities in C# code where user-controlled input is passed directly to ExecuteSqlCommand method calls. This creates a risk of SQL injection attacks where malicious users can manipulate database queries to access or modify unauthorized data.
Detection Strategy
• Identifies method calls to ExecuteSqlCommand in the code
• Checks if the SQL query string parameter contains or is influenced by user-controlled input
• Reports a vulnerability when ExecuteSqlCommand is called with unvalidated user input
• Examines data flow to trace if the SQL query string is built using user-provided values
Vulnerable code example
using System.Data.SqlClient;
public class UnsafeDatabase
{
public string GetUserData(string userId)
{
string connectionString = "Server=myserver;Database=mydb;";
// Vulnerable: Direct string concatenation allows SQL injection...✅ Secure code example
using System.Data.SqlClient;
public class SafeDatabase
{
public string GetUserData(string userId)
{
string connectionString = "Server=myserver;Database=mydb;";
string query = "SELECT * FROM users WHERE id = @userId"; // Using parameterized query to prevent SQL injection...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.