/* goodG2B() - use goodsource and badsink */ private static void GoodG2B(HttpRequest req, HttpResponse resp) { string data; /* FIX: Use a hardcoded string */ data = "foo"; Container dataContainer = new Container(); dataContainer.containerOne = data; CWE81_XSS_Error_Message__Web_Database_67b.GoodG2BSink(dataContainer, req, resp); }
public override void Bad(HttpRequest req, HttpResponse resp) { string data; data = ""; /* Initialize data */ /* Read data from a database */ { try { /* setup the connection */ using (SqlConnection connection = IO.GetDBConnection()) { connection.Open(); /* prepare and execute a (hardcoded) query */ using (SqlCommand command = new SqlCommand(null, connection)) { command.CommandText = "select name from users where id=0"; command.Prepare(); using (SqlDataReader dr = command.ExecuteReader()) { /* POTENTIAL FLAW: Read data from a database query SqlDataReader */ data = dr.GetString(1); } } } } catch (SqlException exceptSql) { IO.Logger.Log(NLog.LogLevel.Warn, exceptSql, "Error with SQL statement"); } } Container dataContainer = new Container(); dataContainer.containerOne = data; CWE81_XSS_Error_Message__Web_Database_67b.BadSink(dataContainer, req, resp); }