include::../description.adoc[] include::../ask-yourself.adoc[] include::../recommended.adoc[] == Sensitive Code Example ---- public void Foo(DbContext context, string query, string param) { string sensitiveQuery = string.Concat(query, param); context.Database.ExecuteSqlCommand(sensitiveQuery); // Sensitive context.Query().FromSql(sensitiveQuery); // Sensitive context.Database.ExecuteSqlCommand($"SELECT * FROM mytable WHERE mycol={value}", param); // Sensitive, the FormattableString is evaluated and converted to RawSqlString string query = $"SELECT * FROM mytable WHERE mycol={param}"; context.Database.ExecuteSqlCommand(query); // Sensitive, the FormattableString has already been evaluated, it won't be converted to a parametrized query. } public void Bar(SqlConnection connection, string param) { SqlCommand command; string sensitiveQuery = string.Format("INSERT INTO Users (name) VALUES (\"{0}\")", param); command = new SqlCommand(sensitiveQuery); // Sensitive command.CommandText = sensitiveQuery; // Sensitive SqlDataAdapter adapter; adapter = new SqlDataAdapter(sensitiveQuery, connection); // Sensitive } ---- == Compliant Solution [source,csharp] ---- public void Foo(DbContext context, string query, string param) { context.Database.ExecuteSqlCommand("SELECT * FROM mytable WHERE mycol=@p0", param); // Compliant, it's a parametrized safe query } ---- include::../see.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::../message.adoc[] include::../highlighting.adoc[] ''' == Comments And Links (visible only on this page) === on 16 Oct 2018, 17:38:58 Nicolas Harraudeau wrote: *Implementation details*: Note that the first parameter of many function has a ``++string++`` as first parameter. The reason is that we do not want to highlight the instantiation of empty objects such as ``++new OdbcCommand()++`` which have their command set later via their property ``++CommandText++``. The goal is to highlight the exact moment where the SQL string query is provided to the command. That way we highlight the place where the injection can take place. Note also that no issue should be created if the SQL command has no risk of injection. Thus if the SQL command is a hard-coded string or the concatenation of hard-coded strings, it should not create an issue. === on 8 Oct 2019, 11:12:14 Andrei Epure wrote: \[~nicolas.harraudeau] [~pierre-loup.tristant] - should this rule be harmonized with the libraries we support for RSPEC-3649 (e.g. Dapper, Petapoco, NHibernate)?   _see all the references in https://github.com/SonarSource/sonar-security/blob/8.0.0-M1.5391/its/projects/internal/InternalBasic.CSharp/InternalBasic.CSharp.NetCore/InternalBasic.CSharp.NetCore.csproj[InternalBasic.CSharp.NetCore.csproj] and https://github.com/SonarSource/sonar-security/blob/8.0.0-M1.5391/its/projects/internal/InternalBasic.CSharp/InternalBasic.CSharp.NetFramework/InternalBasic.CSharp.NetFramework.csproj[InternalBasic.CSharp.NetFramework.csproj]_ include::../comments-and-links.adoc[] endif::env-github,rspecator-view[]