/* goodG2B() - use GoodSource and BadSink */ private static void GoodG2B(HttpRequest req, HttpResponse resp) { string data; /* FIX: Use a hardcoded string */ data = "foo"; LinkedList <string> dataLinkedList = new LinkedList <string>(); dataLinkedList.AddLast(data); dataLinkedList.AddLast(data); dataLinkedList.AddLast(data); CWE89_SQL_Injection__Web_Database_ExecuteNonQuery_73b.GoodG2BSink(dataLinkedList, req, resp); }
/* goodB2G() - use BadSource and GoodSink */ private static void GoodB2G(HttpRequest req, HttpResponse resp) { string data; data = ""; /* Initialize data */ /* Read data from a database */ { try { /* setup the connection */ using (SqlConnection connection = IO.GetDBConnection()) { connection.Open(); /* prepare and execute a (hardcoded) query */ using (SqlCommand command = new SqlCommand(null, connection)) { command.CommandText = "select name from users where id=0"; command.Prepare(); using (SqlDataReader dr = command.ExecuteReader()) { /* POTENTIAL FLAW: Read data from a database query SqlDataReader */ data = dr.GetString(1); } } } } catch (SqlException exceptSql) { IO.Logger.Log(NLog.LogLevel.Warn, exceptSql, "Error with SQL statement"); } } LinkedList <string> dataLinkedList = new LinkedList <string>(); dataLinkedList.AddLast(data); dataLinkedList.AddLast(data); dataLinkedList.AddLast(data); CWE89_SQL_Injection__Web_Database_ExecuteNonQuery_73b.GoodB2GSink(dataLinkedList, req, resp); }