public override void Bad(HttpRequest req, HttpResponse resp) { string data; data = ""; /* initialize data in case id is not in query string */ /* POTENTIAL FLAW: Parse id param out of the URL querystring (without using getParameter()) */ { if (req.QueryString["id"] != null) { data = req.QueryString["id"]; } } string[] dataArray = new string[5]; dataArray[2] = data; CWE90_LDAP_Injection__QueryString_Web_66b.BadSink(dataArray, req, resp); }