/* goodB2G() - use badsource and goodsink */ public static void GoodB2GSink(CWE89_SQL_Injection__Web_QueryString_Web_ExecuteNonQuery_67a.Container dataContainer, HttpRequest req, HttpResponse resp) { string data = dataContainer.containerOne; int? result = null; try { using (SqlConnection dbConnection = IO.GetDBConnection()) { dbConnection.Open(); using (SqlCommand goodSqlCommand = new SqlCommand(null, dbConnection)) { goodSqlCommand.CommandText = "insert into users (status) values ('updated') where name=@name"; /* FIX: Use prepared statement and ExecuteNonQuery (properly) */ SqlParameter nameParam = new SqlParameter("@name", SqlDbType.VarChar, 0); nameParam.Value = data; goodSqlCommand.Parameters.Add(nameParam); goodSqlCommand.Prepare(); result = goodSqlCommand.ExecuteNonQuery(); if (result != null) { IO.WriteLine("Name, " + data + ", updated successfully"); } else { IO.WriteLine("Unable to update records for user: "******"Error getting database connection", exceptSql); } }
/* goodG2B() - use goodsource and badsink */ public static void GoodG2BSink(CWE89_SQL_Injection__Web_QueryString_Web_ExecuteNonQuery_67a.Container dataContainer, HttpRequest req, HttpResponse resp) { string data = dataContainer.containerOne; int? result = null; try { using (SqlConnection dbConnection = IO.GetDBConnection()) { dbConnection.Open(); using (SqlCommand badSqlCommand = new SqlCommand(null, dbConnection)) { /* POTENTIAL FLAW: data concatenated into SQL statement used in ExecuteNonQuery(), which could result in SQL Injection */ badSqlCommand.CommandText = "insert into users (status) values ('updated') where name='" + data + "'"; result = badSqlCommand.ExecuteNonQuery(); if (result != null) { IO.WriteLine("Name, " + data + ", updated successfully"); } else { IO.WriteLine("Unable to update records for user: "******"Error getting database connection", exceptSql); } }