I have used parameters to prevent SQL injection; however, my scan is complaining about the passed in query string coming from an untrusted source. This is confusing me because everything appears to be find. Because the user has a valid login and because the code is internal to the business layer how could this be an untrusted source? If anyone has any ideas about a fix please let me know. First the scan error:
Scan finding:
On line 429 of Loader.cs, the method ExecuteScaler() invokes a SQL query built using input coming from an untrusted source. This call could allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.
The code causing the finding is this line:
command.CommandText = Instance.Query;
The code containing the actual finding line above:
protected Object ExecuteScaler(QueryContainer Instance)
{
object returnValue = null;
if (!_iserror)
{
if (_connection == null || _connection.State == ConnectionState.Closed)
{
OpenConnection();
}
DbCommand command = _provider.CreateCommand();
command.Connection = _connection;
{
command.CommandText = Instance.Query;
command.CommandType = CommandType.Text;
if (Instance.parameterList.Count > 0)
{
foreach (var p in Instance.parameterList)
{
command.Parameters.Add(p.SqlParam);
}
}
if (_useTransaction) { command.Transaction = _transaction; }
try
{
returnValue = command.ExecuteScalar();
}The code calling the method that calls the offending method above:
public string GetFileHashByLogExcelKey(int key)
{
string query = @"SELECT file_hash from log_excel where log_excel_key = @key";
QueryContainer Instance = new QueryContainer(query);
MyParam myParam = new MyParam();
myParam.SqlParam = new SqlParameter("@key", Instance.AddParameterType(_DbTypes.Int));
myParam.SqlParam.Value = key;
Instance.parameterList.Add(myParam);
return Convert.ToString(ExecuteScaler(Instance));
}
