0

I have the following piece of code, in which I have made the parameterized query, as I read somewhere that this avoids the SQL injection. But after making this change, I am still getting the SQL injection flaw.

StrCmd = "select TdsSubCode from Rate where TdsCode= @cboTdsCode and DSCode= @cboDedStatus"

dsCmd = New SqlCommand(StrCmd, conTdsPac)

dsCmd.CommandType = CommandType.Text

dsCmd.Parameters.AddWithValue("@cboTdsCode", cboTdsCode.Text)

dsCmd.Parameters.AddWithValue("@cboDedStatus", cboDedStatus.Text)

dsCmd.ExecuteReader()
altocumulus
  • 21,179
  • 13
  • 61
  • 84
Bordan
  • 1
  • 3
    And what flaw is that? – paparazzo Nov 18 '15 at 08:08
  • Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') – Bordan Nov 18 '15 at 09:20
  • Assuming it is not a false positive, it might in some way be unhappy about the use of `.AddWithValue`. You can use `.Add` and specify the parameter type to avoid the computer having to guess what the parameter type is. – Andrew Morton Nov 18 '15 at 09:38
  • Thank you Andrew for your response. In case of .Add, we can specify the parameter type but then how to assign the value. I can use: dsCmd.Parameters.Add("@cboTdsCode", SqlDbType.NVarChar). How would i need to assign the value of "cboTdsCode.Text" to parameter "@cboTdsCode" – Bordan Nov 18 '15 at 09:52
  • @Bordan You can use the form `sqlCmd.Parameters.Add("@x", SqlDbType.NVarChar, 20).Value = "hkj"`. – Andrew Morton Nov 18 '15 at 10:13
  • Why do you believe this is vulnerable to SQL injection? What did you try that showed that the vulnerability? – Werner Henze Nov 18 '15 at 10:39
  • @AndrewMorton: I will give that a try. appreciate your help. – Bordan Nov 18 '15 at 10:59
  • @WernerHenze: I uploaded the code in veracode and it showed me the vulnerability. – Bordan Nov 18 '15 at 11:00
  • @Bordan I believe it is a false positive. Can you try to exploit it when giving for example `cboTdsCode.Text='3;DELETE * FROM rate; --'`? – Werner Henze Nov 18 '15 at 12:15
  • @AndrewMorton: Unfortunately the solution of using .Add did not work. – Bordan Nov 27 '15 at 05:52
  • WernerHenze: choTdsCode.Text is an example. Sql Injection also occurs in different instances, like: \r\n select count(cocd) from transactions where voucherNo = @strVno cmdTran.Parameters.AddWithValue("@strVno", strVno) – Bordan Nov 27 '15 at 05:55
  • In the above example, there is no use of .Text, and still sql injection flaw pops up. – Bordan Nov 27 '15 at 05:59
  • @Bordan Veracode claim a false positive rate of "less than 15%". Which is easily enough to suppose you are getting false positives. Have you contacted Veracode? I expect they would like to be informed so that they can improve their product. – Andrew Morton Nov 27 '15 at 08:57
  • I realize this question is over 3 years old but I would argue this is a false positive from Veracode. Our scan yelled at us about parameterized sql using a stored procedures. It's ridiculous! – scott.korin Feb 01 '19 at 18:50

0 Answers0