How to deal with this SQL injection warning (CA2100) - sql

Below is the code I got from Microsoft page: SqlCommand
public static Int32 ExecuteNonQuery(String connectionString, String commandText, CommandType commandType, params SqlParameter[] parameters)
{
using (SqlConnection conn = new SqlConnection(connectionString))
{
using (SqlCommand cmd = new SqlCommand(commandText, conn))
{
// There're three command types: StoredProcedure, Text, TableDirect. The TableDirect
// type is only for OLE DB.
cmd.CommandType = commandType;
cmd.Parameters.AddRange(parameters);
conn.Open();
return cmd.ExecuteNonQuery();
}
}
}
However, VS code analysis still complains about "CA2100":
Warning CA2100 The query string passed to 'SqlCommand.SqlCommand(string, SqlConnection)' in 'FlexClaimFormRepository.ExecuteNonQuery(string, string, CommandType, params SqlParameter[])' could contain the following variables 'commandText'. If any of these variables could come from user input, consider using a stored procedure or a parameterized SQL query instead of building the query with string concatenations.
I know the exact reason why the warning is there, but anyidea on how to get rid of it? Given setting commandText inside the function is not acceptable since I want it to be a parameter.

I know this question is old, but maybe this will help someone with the same issue. I also was using a stored procedure and therefore suppressed the warning using the information from this article from Microsoft:
https://learn.microsoft.com/en-us/visualstudio/code-quality/in-source-suppression-overview?view=vs-2019 .
Here's the attribute I added to my method:
[System.Diagnostics.CodeAnalysis.SuppressMessage("Security", "CA2100:Review SQL queries for security vulnerabilities", Justification = "Method already uses a Stored Procedure")]

Related

LogIn form, SQL exception

I'm trying to make a simple program that has a log-in part, with a local database just for testing.And i keep getting an error when I try to open the connection to the SQL database.
private void logInButton_Click(object sender, EventArgs e)
{
MainMenu openMainMenu = new MainMenu();
SqlConnection sqlcon = new SqlConnection(#"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C: \Users\Nea Florin\Desktop\PlatformaTestare\PlatformaTestare\Server.mdf;Integrated Security=True;Connect Timeout=30");
sqlcon.Open();
SqlCommand cmd = new SqlCommand("Select * from Table Where username ='" + usernameTextBox.Text + "' and password = '" + passwrodTextBox.Text + "'");
SqlDataAdapter sda = new SqlDataAdapter(cmd);
DataTable dtbl = new DataTable();
sda.Fill(dtbl);
if (dtbl.Rows.Count > 0)
{
openMainMenu.Show();
this.Hide();
}
else
MessageBox.Show("Wrong username or password!");
}
I get the error at sqlcon.Open();, and it is: "An unhandled exception of type 'System.Data.SqlClient.SqlException' occurred in System.Data.dll
Additional information: An attempt to attach an auto-named database for file C: \Users\Nea Florin\Desktop\PlatformaTestare\PlatformaTestare\Server.mdf failed. A database with the same name exists, or specified file cannot be opened, or it is located on UNC share."
Well, the best advice I can give you is to google the error message. Keep in mind that if there is an error message it means that the problem is well known an as such it's a safe bet that someone have encountered it before you and managed to solve it. The first 4 results of this search are on stackoverflow and at least two of them have accepted answers, so I believe a little reasearch would have saved you a long time.
This is the best advice because it streaches far beyond your current problem. I firmly believe that good searching skills is the most important and most powerfull tools of a sotfware developer. I can assure you, no matter how much time you are developing software, almost every exception you get, someone else have already solved and posted the solution somewhere, you only need to find it.
Now, as for the code it self - You have some major problems other then the exception you are asking about:
Concatenating strings into sql statements instead of using parameters expose your code to SQL injection attacks. This is a very serious threat that is extremely easy to fix.
Using insntances of classes that implements the IDisposable interface without properly disposing them may lead to memory leak. Read about the using statement and make it a habit to use it every time it's possible.
Exception handling. Currently, if your database can't be reached, you get an exception and your program crash. You should use a try...catch block anywhere you can't control in code to let your program end gracefuly instead. (Don't ever use try...catch for things you can do in code such as validate user input or checking division by zero - only for things that are beyon your control such as database availability.)
Having said all that, your code should look something like this:
private void logInButton_Click(object sender, EventArgs e)
{
using (var sqlcon = new SqlConnection(#"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=|DataDirectory|C:\Users\Nea Florin\Desktop\PlatformaTestare\PlatformaTestare\Server.mdf;Integrated Security=True;Connect Timeout=30"))
{
sqlcon.Open();
using (var cmd = new SqlCommand("Select 1 from Table Where username = #userName and password = #password"))
{
cmd.Parameters.Add("#userName", SqlDbType.NVarChar).Value = usernameTextBox.Text;
cmd.Parameters.Add("#password", SqlDbType.NVarChar).Value = passwrodTextBox.Text;
using (var dtbl = new DataTable())
{
using (var sda = new SqlDataAdapter(cmd))
{
sda.Fill(dtbl);
}
if (dtbl.Rows.Count > 0)
{
var openMainMenu = new MainMenu();
openMainMenu.Show();
this.Hide();
}
}
else
{
MessageBox.Show("Wrong username or password!");
}
}
}

How to implement SQL Azure Transient Fault Handling Framework for Dapper?

I'm a vb.net guy and have difficulty reading C#. I compiled the C# Dapper to a DLL and use it my app.
My main concern is I think I need to modify the source to integrate by default the Transient Fault Handling Framework for SQL Azure in each SQL query.
I can add the retry logic on the connection level because it is ont top of dapper, but not at the execute query level which is embedded in drapper class.
Anyone has done that yet ?
* UPDATE *
Does using only ReliableSqlConnection on top of Dapper call will handle a retry logic on the execute non query ?
Here is sample code of retry from MS with the transietn fault hanling
using Microsoft.Practices.EnterpriseLibrary.WindowsAzure.TransientFaultHandling;
using Microsoft.Practices.EnterpriseLibrary.WindowsAzure.TransientFaultHandling.AzureStorage;
using Microsoft.Practices.EnterpriseLibrary.WindowsAzure.TransientFaultHandling.SqlAzure;
using System.Data;
...
using (ReliableSqlConnection conn = new ReliableSqlConnection(connString, retryPolicy))
{
conn.Open();
IDbCommand selectCommand = conn.CreateCommand();
selectCommand.CommandText =
"UPDATE Application SET [DateUpdated] = getdate()";
// Execute the above query using a retry-aware ExecuteCommand method which
// will automatically retry if the query has failed (or connection was
// dropped).
int recordsAffected = conn.ExecuteCommand(selectCommand, retryPolicy);
}
Here is the execute part of Dapper code, same name is used but I guess it is a custom execute function
private static int ExecuteCommand(IDbConnection cnn, IDbTransaction transaction, string sql, Action<IDbCommand, object> paramReader, object obj, int? commandTimeout, CommandType? commandType)
{
IDbCommand cmd = null;
bool wasClosed = cnn.State == ConnectionState.Closed;
try
{
cmd = SetupCommand(cnn, transaction, sql, paramReader, obj, commandTimeout, commandType);
if (wasClosed) cnn.Open();
return cmd.ExecuteNonQuery();
}
finally
{
if (wasClosed) cnn.Close();
if (cmd != null) cmd.Dispose();
}
}
I would recommend wrapping the retry around Dapper, preferably by using the RetryPolicy.ExecuteAction method. That way both the OPEN call to the connection
and the command itself will be retried using the TFH retry policy:
For example:
SqlRetryPolicy.ExecuteAction(() =>
{
// Place Dapper ExecuteCommand here: e.g.
ExecuteCommand(conn, trans, ... )
});

can't connect to sql azure database using monotouch

I'm working on a iphone project using c# and monotouch.
I need to use an SQL Azure database.
My problem is that I cant seem to get connected using monotouch.
I can make the code below work fine in a native console application built on a windows 8 machine using visual studio 2012.
But, when I try to port it over to an imac and use monodevelop/monotouch my iphone app crashes.
The error I get is:
System.NotImplementedException: SSL encryption for data sent between client and server is not implemented.
I google around a bit and found a bug report that seems to describe my exact issue here. I noticed its almost two years old so i'm not sure if this would still be unimplemented.
So, I tried changing the value of StringBuilder.Encrypt = true; to false.
But, it still crashes and I get the error:
Mono.Data.Tds.Protocol.TdsInternalException: Server closed the connection. ---> System.IO.IOException: Connection lost
in either case the app crashes when conn.Open(); is called.
I'm pretty stuck, and I don't have a choice but to use SQL Azure.
So, if anyone could suggest a solution or work around for my issue, I'd appreciate it greatly.
thanks in advance!
string userName = "<username>#<myservername>";
string password = "<password>";
string dataSource = "<myservername>.database.windows.net";
string databaseName = "<dbname>";
SqlConnectionStringBuilder connStringBuilder;
connStringBuilder = new SqlConnectionStringBuilder();
connStringBuilder.DataSource = dataSource;
connStringBuilder.InitialCatalog = databaseName;
connStringBuilder.Encrypt = true;
connStringBuilder.TrustServerCertificate = false;
connStringBuilder.UserID = userName;
connStringBuilder.Password = password;
using (SqlConnection conn = new SqlConnection (connStringBuilder.ToString())) {
conn.Open();
using (IDbCommand dbcmd = conn.CreateCommand()){
string sql = "Select client_username from dbo.client;";
dbcmd.CommandText = sql;
using (IDataReader reader = dbcmd.ExecuteReader()){
while( reader.Read() ){
string username = (string) reader["client_username"];
}
}
}
}
SSL for SqlConnection class is not implemented. See SqlConnection.cs
And as Azure requires an encrypted connection you'll have to do some workaround. For example you could create a web role and expose a web service which executes the SQL on your behalf.
try using a simple string as your connection string:
connStr = "Server=tcp:<server_here>.database.windows.net,1433;Database=<db_name_here>;Trusted_Connection=False;Encrypt=True;TrustServerCertificate=False;UserID=<user_name_here>#<server_name_here>;Password=<password_here>";
using (SqlConnection conn = new SqlConnection (connStr)) {
conn.Open();
using (IDbCommand dbcmd = conn.CreateCommand()){
string sql = "Select client_username from dbo.client;";
dbcmd.CommandText = sql;
using (IDataReader reader = dbcmd.ExecuteReader()){
while( reader.Read() ){
string username = (string) reader["client_username"];
}
}
}
}
Note differences - use Server, Database. Once you get the connection string correct, you can use try the ConnectionStringBuilder and see if you get the exact same output. BUt its easier to just use a string if you have one that works.

Dapper not adding parameters

I am trying to use Dapper for our complex queries to remove any lost overhead that was previously existing with NH.
I have the following query (note this has been considerably shrunk):
SELECT DISTINCT *
FROM tasks t
WHERE t.initials = #UserInits
Which is called via our repository as so:
taskRepo.RawExec<TaskListItemDTO>(Query,new {UserInits = "SAS"})
Our implementation of DapperExec consist as follows:
public IEnumerable<T> RawExec<T>(string SQL, object param)
{
return _session.Connection.Query<T>(SQL,param);
}
But Dapper doesn't appear to be adding the parameters to the query, and as a result, we are getting syntax errors.
Incase it helps, we are connecting over ODBC to Informix.
Thanks
Update Code Sample:
Sorry it took so long, been very busy with work! Below is a sample for MS SQL (2008) Server that should simple query the sys.all_objects (systables?) with a param value of 1 or 0 - but in this sample, as ODBC does not use named params, this won't work.
using Dapper;
using DapperSQL;
using System.Collections.Generic;
using System.Data;
using System.Data.Odbc;
namespace DapperTests
{
public class SQLEx
{
private OdbcConnection GetConnection()
{
var cnn = new OdbcConnection("DSN=ODBCSOURCE");
cnn.Open();
// wrap the connection with a profiling connection that tracks timings
return cnn;
}
public IEnumerable<object> DapperTest()
{
using (OdbcConnection conn = GetConnection())
{
return conn.Query("SELECT * FROM sys.all_objects where is_ms_shipped = ?", new { is_ms_shipped = 1 });
}
}
}
I know this is old post, just use SP instead of query, please check this link Dapper using ODBC store procedure Input parm, this using sybase odbc Sp, all odbc use same technique, I wish it works in Informix.

How to intercept and modify SQL query in Linq to SQL

I was wondering if there is any way to intercept and modify the sql generated from linq to Sql before the query is sent off?
Basically, we have a record security layer, that given a query like 'select * from records' it will modify the query to be something like 'select * from records WHERE [somesecurityfilter]'
I am trying to find the best way to intercept and modify the sql before its executed by the linq to sql provider.
Ok, first to directly answer your question (but read on for words of caution ;)), there is a way, albeit a finicky one, to do what you want.
// IQueryable<Customer> L2S query definition, db is DataContext (AdventureWorks)
var cs = from c in db.Customers
select c;
// extract command and append your stuff
DbCommand dbc = db.GetCommand(cs);
dbc.CommandText += " WHERE MiddleName = 'M.'";
// modify command and execute letting data context map it to IEnumerable<T>
var result = db.ExecuteQuery<Customer>(dbc.CommandText, new object[] { });
Now, the caveats.
You have to know which query is generated so you would know how to modify it, this prolongs development.
It falls out of L2S framework and thus creates a possible gaping hole for sustainable development, if anyone modifies a Linq it will hurt.
If your Linq causes parameters (has a where or other extension causing a WHERE section to appear with constants) it complicates things, you'll have to extract and pass those parameters to ExecuteQuery
All in all, possible but very troublesome. That being said you should consider using .Where() extension as Yaakov suggested. If you want to centrally controll security on object level using this approach you can create an extension to handle it for you
static class MySecurityExtensions
{
public static IQueryable<Customer> ApplySecurity(this IQueryable<Customer> source)
{
return source.Where(x => x.MiddleName == "M.");
}
}
//...
// now apply it to any Customer query
var cs = (from c in db.Customers select c).ApplySecurity();
so if you modify ApplySecurity it will automatically be applied to all linq queries on Customer object.
If you want to intercept the SQL generated by L2S and fiddle with that, your best option is to create a wrapper classes for SqlConnection, SqlCommand, DbProviderFactory etc. Give a wrapped instance of SqlConnection to the L2S datacontext constructor overload that takes a db connection. In the wrapped connection you can replace the DbProviderFactory with your own custom DbProviderFactory-derived class that returns wrapped versions of SqlCommand etc.
E.g.:
//sample wrapped SqlConnection:
public class MySqlConnectionWrapper : SqlConnection
{
private SqlConnecction _sqlConn = null;
public MySqlConnectionWrapper(string connectString)
{
_sqlConn = new SqlConnection(connectString);
}
public override void Open()
{
_sqlConn.Open();
}
//TODO: override everything else and pass on to _sqlConn...
protected override DbProviderFactory DbProviderFactory
{
//todo: return wrapped provider factory...
}
}
When using:
using (SomeDataContext dc = new SomeDataContext(new MySqlConnectionWrapper("connect strng"))
{
var q = from x in dc.SomeTable select x;
//...etc...
}
That said, do you really want to go down that road? You'll need to be able to parse the SQL statements and queries generated by L2S in order to modify them properly. If you can instead modify the linq queries to append whatever you want to add to them, that is probably a better alternative.
Remember that Linq queries are composable, so you can add 'extras' in a separate method if you have something that you want to add to many queries.
first thing come to my mind is to modify the query and return the result in Non-LINQ format
//Get linq-query as datatable-schema
public DataTable ToDataTable(System.Data.Linq.DataContext ctx, object query)
{
if (query == null)
{
throw new ArgumentNullException("query");
}
IDbCommand cmd = ctx.GetCommand((IQueryable)query);
System.Data.SqlClient.SqlDataAdapter adapter = new System.Data.SqlClient.SqlDataAdapter();
adapter.SelectCommand = (System.Data.SqlClient.SqlCommand)cmd;
DataTable dt = new DataTable("sd");
try
{
cmd.Connection.Open();
adapter.FillSchema(dt, SchemaType.Source);
adapter.Fill(dt);
}
finally
{
cmd.Connection.Close();
}
return dt;
}
try to add your condition to the selectCommand and see if it helps.
Try setting up a view in the DB that applies the security filter to the records as needed, and then when retrieving records through L2S. This will ensure that the records that you need will not be returned.
Alternatively, add a .Where() to the query before it is submitted that will apply the security filter. This will allow you to apply the filter programmatically (in case it needs to change based on the scenario).