Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Question

1.00/5 (1 vote)

See more:

SQL-Server-2012

Hello team,

please help me with this Sql Injection flaw in veracode and refer below code.

source code:

flaws @ both com.CommandText = cmdText;

C#

try
                {
                    connOle.Open();
                    OleDbCommand com = connOle.CreateCommand();

                    string cmdText = "DROP TABLE Report";

                    com.CommandText = cmdText;
                    com.ExecuteNonQuery();//flaw at this line

                    cmdText = "CREATE TABLE Report (Datum Text,VG_UG Text,NameVN Text,VstNr Integer,Sti Text,ArtEnt Text,ArtPr Text,Prov float)";
                    com.CommandText = cmdText;//flaw at this line

                    com.ExecuteNonQuery();

                    int i=0;
                    foreach(Calc calc in ar)
                    {

Posted 16-Jul-15 0:58am

priyanka arava

Add a Solution

Comments

[no name] 16-Jul-15 7:16am

You would need to ask veracode why their software is flagging these issues.

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Answer 1 · 2015-07-16T01:13:00

That has nothing at all to do with SQL injection: it's just a simple string creating a table.

However, not all systems support a TEXT datatype: you may need to use NVARCHAR instead - but without knowing exactly what your OLEDB is connecting to, we can't say exactly.

Start by putting that code into a try-catch block and looking in the debugger at exactly what error message is being generated. It could be that the table exists already, or any of loads of other errors.

Wendelius · Answer 2 · 2015-07-16T01:14:00

Not sure what you're trying to do but you cannot create table like that. In order to create a table you need to specify proper data types for each column and so on. Have a look at the syntax[^] (if SQL Server)

Having that said, it makes even less sense to first drop the table and then create it. Somehow this looks like you're trying to empty the table. If that is your goal, use either DELETE[^] or TRUNCATE TABLE[^]. But even then remember that if this is a multi user database, other people see the changes you've made as soon as they are committed...

EDIT

The first statement most likely fails on the first time since you don't have a table to drop...

But as said it's not common at all to create or drop permanent tables on-the-fly

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

2 solutions

Solution 1

Solution 2

Add your solution here

Preview 0