Click here to Skip to main content
14,922,492 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Hi Team
I am trying to prevent Stored Xss vulnarability for Sql query which is showing as high vulnerability in CheckMark.
Below is my code.

What I have tried:

public DataSet GetData(string sqlQuery)
    OracleConnection con=new Oracle....
    OracleAdapter ad=new  OracleAdapter(sqlQuery,con);
    return ds;

UI code
DataGrid dg=new DataGrid();
dg.DataSource = objDa.GetData(txtQuesy());
Updated 25-Sep-20 2:56am

1 solution

You have a higher risk vulnerability: you've written a method which will force you to write code which is vulnerable to SQL Injection[^].

You need to rewrite your GetData method to allow you to pass parameters properly, rather than stuffing them into the query itself. You should also make sure you're not accepting queries directly from the user.

To prevent XSS vulnerabilities, you need to properly encode any output depending on where it is being displayed. For example, if you're displaying it as part of the HTML markup, you need to HTML encode it.

Many WebForms controls have properties which will let you specify that their output should be encoded. For example:
BoundField.HtmlEncode Property (System.Web.UI.WebControls) | Microsoft Docs[^]
Literal.Mode Property (System.Web.UI.WebControls) | Microsoft Docs[^]

So long as you use these properties correctly, and never output unencoded data which could be controlled or affected by the user, you should avoid any XSS vulnerabilities.

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]
DGKumar 28-Sep-20 6:22am
Hi Richard,
Even though if I am using the parameterized query also while getting data from db and trying to store in DataGrid DataSorce checkmark is displaying the data source data is not sanitized.
dg.DataSource = ds;

ds rows data should santized. how to do that i could not find out the solution.
Richard Deeming 28-Sep-20 6:39am
The DataGrid[^] control is an older control which didn't have support for automatically encoding the output.

You should look at switching to the GridView[^] control, and setting the HtmlEncode[^] property on the BoundField columns.

If you stick with the DataGrid, you'll need to switch to using a TemplateColumn[^], and use a bound Literal within the item template with the correct Mode value set to ensure that the output is HTML-encoded.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900