TechQA.

Checkmarx Second Order SQL Injection C#

1.8k views Asked by At

I'm getting this error from Checkmarx:

The application constructs this SQL query by embedding an untrusted string into the query without proper sanitization. The concatenated string is submitted to the database, where it is parsed and executed accordingly.

public class CurrClientEntity
    {       
         
        public string C_Code { get; set; }
        
        public string C_Id { get; set; }        
    }


 public CurrClientEntity GetCurrClientId(string c_Code)       
 {           
            var sql = new StringBuilder(@"SELECT C_CODE,C_ID FROM TBL_CLIENT"); 

            sql.Append(" WHERE VALID =:VALID  ");
            sql.Append(" AND C_CODE = :C_CODE  ");
            var dictionary = new Dictionary<string, object>
                        {
                            { "@C_CODE", c_Code },
                            { "@VALID", 'Y' },
                        };
            var parameters = new DynamicParameters(dictionary);
            using (IDbConnection conn = CreateConnection())
            {
                return conn.QueryFirstOrDefault<CurrClientEntity>(sql.ToString(), parameters);
            }
        }
c# dapper static-code-analysis checkmarx sast
Original Q&A
1

There are 1 answers

0
yaloner On

Having looked into it, Checkmarx SAST does not support Dapper and misses the safe execution of QueryFirstOrDefault().
Your code seems fine, so you can mark this as Not Exploitable and report it as a False Positive result to Checkmarx.

Related Questions in C#

Related Questions in DAPPER

Related Questions in STATIC-CODE-ANALYSIS

Related Questions in CHECKMARX

Related Questions in SAST

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions