/* goodB2G() - use badsource and goodsink */ private static void GoodB2G(HttpRequest req, HttpResponse resp) { string data = CWE89_SQL_Injection__Web_Database_CommandText_61b.GoodB2GSource(req, resp); if (data != null) { string[] names = data.Split('-'); int successCount = 0; try { /* FIX: Use prepared statement and concatenate CommandText (properly) */ using (SqlConnection dbConnection = IO.GetDBConnection()) { dbConnection.Open(); using (SqlCommand goodSqlCommand = new SqlCommand(null, dbConnection)) { for (int i = 0; i < names.Length; i++) { SqlParameter nameParam = new SqlParameter("@name", SqlDbType.VarChar, 100); nameParam.Value = names[i]; goodSqlCommand.CommandText += "update users set hitcount=hitcount+1 where name=@name;"; } goodSqlCommand.Prepare(); int affectedRows = goodSqlCommand.ExecuteNonQuery(); successCount += affectedRows; IO.WriteLine("Succeeded in " + successCount + " out of " + names.Length + " queries."); } } } catch (SqlException exceptSql) { IO.Logger.Log(NLog.LogLevel.Warn, "Error getting database connection", exceptSql); } } }
/* goodG2B() - use goodsource and badsink */ private static void GoodG2B(HttpRequest req, HttpResponse resp) { string data = CWE89_SQL_Injection__Web_Database_CommandText_61b.GoodG2BSource(req, resp); if (data != null) { string[] names = data.Split('-'); int successCount = 0; SqlCommand badSqlCommand = null; try { using (SqlConnection dbConnection = IO.GetDBConnection()) { badSqlCommand.Connection = dbConnection; dbConnection.Open(); for (int i = 0; i < names.Length; i++) { /* POTENTIAL FLAW: data concatenated into SQL statement used in CommandText, which could result in SQL Injection */ badSqlCommand.CommandText += "update users set hitcount=hitcount+1 where name='" + names[i] + "';"; } var affectedRows = badSqlCommand.ExecuteNonQuery(); successCount += affectedRows; IO.WriteLine("Succeeded in " + successCount + " out of " + names.Length + " queries."); } } catch (SqlException exceptSql) { IO.Logger.Log(NLog.LogLevel.Warn, "Error getting database connection", exceptSql); } finally { try { if (badSqlCommand != null) { badSqlCommand.Dispose(); } } catch (SqlException exceptSql) { IO.Logger.Log(NLog.LogLevel.Warn, "Error disposing SqlCommand", exceptSql); } } } }