Checkmarx Second Order SQL Injection C#

1.8k Views Asked by Gökhan Bozkurt At 19 July 2022 at 08:21

I'm getting this error from Checkmarx:

The application constructs this SQL query by embedding an untrusted string into the query without proper sanitization. The concatenated string is submitted to the database, where it is parsed and executed accordingly.

public class CurrClientEntity
    {       
         
        public string C_Code { get; set; }
        
        public string C_Id { get; set; }        
    }


 public CurrClientEntity GetCurrClientId(string c_Code)       
 {           
            var sql = new StringBuilder(@"SELECT C_CODE,C_ID FROM TBL_CLIENT"); 

            sql.Append(" WHERE VALID =:VALID  ");
            sql.Append(" AND C_CODE = :C_CODE  ");
            var dictionary = new Dictionary<string, object>
                        {
                            { "@C_CODE", c_Code },
                            { "@VALID", 'Y' },
                        };
            var parameters = new DynamicParameters(dictionary);
            using (IDbConnection conn = CreateConnection())
            {
                return conn.QueryFirstOrDefault<CurrClientEntity>(sql.ToString(), parameters);
            }
        }

Original Q&A

There are 1 best solutions below

yaloner On 31 July 2022 at 14:12

Having looked into it, Checkmarx SAST does not support Dapper and misses the safe execution of QueryFirstOrDefault().
Your code seems fine, so you can mark this as Not Exploitable and report it as a False Positive result to Checkmarx.

Checkmarx Second Order SQL Injection C#

There are 1 best solutions below

Related Questions in C#

Related Questions in DAPPER

Related Questions in STATIC-CODE-ANALYSIS

Related Questions in CHECKMARX

Related Questions in SAST

Trending Questions

Popular # Hahtags

Popular Questions