I have a use case where dynamic sql query is cinstructed from a user input to the controller action method.
Even the TableName and ColumnName are inputs to the action. Query is constructed as below for Postgres database.
sqlQuery.Append("SELECT * From public."\"" + tableName + "\" WHERE \"" + attributeName + "\" = @attributeValue);
No issue with implementation. But, SONARQUBE raises critical below error.
**Change this code to not construct SQL queries directly from user-controlled data ** Please suggest how I can solve it. All the compliant solutions are not solving the issue.
I tried all the compliant solutions.
- Tried to pass TableName and ColumnName as parameters. Solved the issue, but query is failing while executing it.
- Instead of concat, tried to use string interpolation as given as fix. But, no luck.
The problem is that you're potentially letting the user put whatever they want in your sql. Sonarqube is right to highlight the problem. There really is never a good reason to write code like this. Your query lets you retrieve an unkown number of rows from any table. You have no idea what columns are going to come back, so no way of doing anything with the returned rows, other than dumping them to screen. Use a database browser instead.