Last post Mar 26, 2019 08:47 PM by Mikesdotnetting
Mar 26, 2019 08:46 AM|demoninside9|LINK
I have a class named DBHelper and there is a method for CRUD operations. Below is the method.
public int Insert_Update_Delete(string procName, Hashtable parms)
SqlCommand cmd = new SqlCommand();
cmd.CommandType = CommandType.StoredProcedure;
cmd.CommandText = procName;
if (parms.Count > 0)
foreach (DictionaryEntry de in parms)
if (con == null)
cmd.Connection = con;
if (con.State == ConnectionState.Closed)
int result = cmd.ExecuteNonQuery();
And I use this methods by adding the parameters to it like below.
DBHelper oDBHelper = new DBHelper();
Hashtable param = new Hashtable();
// added more parameters here
int res = oDBHelper.Insert_Update_Delete("usp_contract_update", param);
And it works perfectly, without any issue.
But code analysis always give the below warning.
The query string passed to 'SqlCommand.CommandText.set(string)' in 'DBHelper.GetDatatabel(string)' could contain the following variables 'procName'. If any of these variables could come from user input, consider using a stored procedure or a parameterized
SQL query instead of building the query with string concatenations.
For reference I am attaching the screenshot below.
As I am already using the parameterized SQL query for CRUD operations to prevent the SQL Injection.
Do I need to modify my method? If yes then how?
Mar 26, 2019 08:47 PM|Mikesdotnetting|LINK
No you don't need to modify your method. The example you showed uses parameters and is safe from SQL injection. report that you see is a warning only.