56 lines
1.6 KiB
Plaintext
56 lines
1.6 KiB
Plaintext
Formatted SQL queries can be difficult to maintain, debug and can increase the risk of SQL injection when concatenating untrusted values into the query. However, this rule doesn't detect SQL injections, the goal is only to highlight complex/formatted queries.
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
Public Sub SqlCommands(ByVal connection As SqlConnection, ByVal query As String, ByVal param As String)
|
|
Dim sensitiveQuery As String = String.Concat(query, param)
|
|
command = New SqlCommand(sensitiveQuery) ' Sensitive
|
|
|
|
command.CommandText = sensitiveQuery ' Sensitive
|
|
|
|
Dim adapter As SqlDataAdapter
|
|
adapter = New SqlDataAdapter(sensitiveQuery, connection) ' Sensitive
|
|
End Sub
|
|
|
|
Public Sub Foo(ByVal context As DbContext, ByVal query As String, ByVal param As String)
|
|
Dim sensitiveQuery As String = String.Concat(query, param)
|
|
context.Database.ExecuteSqlCommand(sensitiveQuery) ' Sensitive
|
|
|
|
context.Query(Of User)().FromSql(sensitiveQuery) ' Sensitive
|
|
End Sub
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
[source,vbnet]
|
|
----
|
|
Public Sub Foo(ByVal context As DbContext, ByVal value As String)
|
|
context.Database.ExecuteSqlCommand("SELECT * FROM mytable WHERE mycol=@p0", value) ' Compliant, the query is parameterized
|
|
End Sub
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
include::../highlighting.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|