Hello Team,
please provide some solution for this SQL injection flaw in veracode and find below code.
source code:
flaws @ both com.ExecuteNonQuery();
string sql = "";
int length = 30;
adr = adr.Trim();
if(adr.Length<length)>
adr = adr.Substring(0,length);
cl.DTime = DateTime.Now.ToString("dd.MM.yy");
sql += "INSERT INTO Report (Datum,VG_UG,NameVN,VstNr,ArtPr,Sti,Prov,ArtEnt) ";
sql += "VALUES ( ";
sql += "'" + cl.DTime + "'," + "'" + vg + "'," + "'" + adr + "'," + cl.VSTNr
+ ",'Risiko'," + "'" + sti
+ "'," + pRisik.ToString().Replace(",",".") + ",'Bestan');";
com.CommandText = sql;
com.ExecuteNonQuery();
sql = "INSERT INTO Report (Datum,VG_UG,NameVN,VstNr,ArtPr,Sti,Prov,ArtEnt)";
sql += "VALUES ( ";
sql += "'" + cl.DTime + "'," + "'" + vg + "'," + "'" + adr + "'," + cl.VSTNr
+ ",'Sparpr'," + "'" + sti
+ "'," + pSparp.ToString().Replace(",",".") + ",'Bestan');";
com.CommandText = sql;
com.ExecuteNonQuery();
sql = "INSERT INTO Report (VG_UG) VALUES ('')";
com.CommandText = sql;
com.ExecuteNonQuery();