hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 18:10:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
c20ee76826e10318f8f39c6fae901b743c2e8254
codeql/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjectionDapper.cs
Tamas Vajk ffcb345916 C#: Add Dapper support to SQL injection queries
2021-04-06 17:06:20 +02:00

96 lines
3.0 KiB
C#
Raw Blame History

using System;
namespace Test
{
using System.Data;
using System.Data.Entity;
using System.Data.SqlClient;
using System.Web.UI.WebControls;
using System.Threading.Tasks;
using Dapper;
class SqlInjectionDapper
{
string connectionString;
public void Bad01()
{
using (var connection = new SqlConnection(connectionString))
{
var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
var result = connection.Query<object>(query);
}
}
public async Task Bad02()
{
using (var connection = new SqlConnection(connectionString))
{
var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
var result = await connection.QueryAsync<object>(query);
}
}
public async Task Bad03()
{
using (var connection = new SqlConnection(connectionString))
{
var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
var result = await connection.QueryFirstAsync(query);
}
}
public async Task Bad04()
{
using (var connection = new SqlConnection(connectionString))
{
var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
await connection.ExecuteAsync(query);
}
}
public void Bad05()
{
using (var connection = new SqlConnection(connectionString))
{
var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
connection.ExecuteScalar(query);
}
}
public void Bad06()
{
using (var connection = new SqlConnection(connectionString))
{
var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
connection.ExecuteReader(query);
}
}
public async Task Bad07()
{
using (var connection = new SqlConnection(connectionString))
{
var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
var comDef = new CommandDefinition(query);
var result = await connection.QueryFirstAsync(comDef);
}
}
public async Task Ok07()
{
using (var connection = new SqlConnection(connectionString))
{
var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
var comDef = new CommandDefinition(query);
// no call to any query method
}
}
System.Windows.Forms.TextBox box1;
}
}
Reference in New Issue View Git Blame Copy Permalink