Last post Oct 15, 2015 10:56 AM by PatriceSc
Oct 15, 2015 10:28 AM|Kapils573|LINK
I had ran HP Fortify scan on the code and getting SQL injection issue on the Where Clause . How do I fix the issue? How do I pass the parameters in the "Where" Clause.
public static IEnumerable<InventoryItem> GetQueryResult(IQueryable<InventoryItem> sStartSql, DownloadCriteria criteria, string tunnelNumber)
var sSql = sStartSql;
string sCondition = string.Empty;
List<InventoryItem> inventoryItemList = new List<InventoryItem>();
if (criteria.State != 99)
sCondition = "StateCode_I3" + " = " + criteria.State + " " + "AND" + " ";
sCondition += "TunnelNo_I1" + " = \"" + tunnelNumber + "\"";
if (sCondition != string.Empty)
IQueryable<InventoryItem> sSelect = null;
sSelect = sSql.Where(sCondition);
List<InventoryItem> inventoryItem = sSelect.ToList();
if (inventoryItemList.Count > 0)
sSql = inventoryItemList.AsQueryable();
Oct 15, 2015 10:56 AM|PatriceSc|LINK
What is your db access API?
http://blogs.msdn.com/b/swiss_dpe_team/archive/2008/06/05/composable-linq-to-sql-query-with-dynamic-orderby.aspx is Linq to SQL but it applies as well to EF: you are allowed to start from a query and to conditionally "enrich" the query by calling the Where
extension method multiple times.
Else the exact SQL injection issue is about inserting sttrings that are not under your control. So you could use :
sCondition = "StateCode_I3 = @1 AND ";
use that in your SQL string and provide the parameter values at the time of the call. Not sure how HP Fortify works and if it would still catch something but the point is that your SQL statement should be basically built from constant strings found in your
code (even if some of those constants strings are assembled as needed).