DataBase Connection String Parameter Pollution fortify issue

Question

I have developed a tool and when I am running the fortify then I am getting 6 critical issues related to Db connection string stating "Concatenating unvalidated input into a database connection may allow an attacker to override the value of a request parameter. An attacker may be able to override existing parameter values, inject a new parameter or exploit variables out of a direct reach."

 public bool sqlDbValidateUser(string databaseHostname, string databaseName, string databaseUsername, string databasePassword)

    {
        _logger.Info("starting sql DB validation");
        string ConnectionString = "Data Source=" + databaseHostname + "; " +
                    "Initial Catalog=" + databaseName + ";" +
                    "User id=" + databaseUsername + ";" +
                    "Password=" + databasePassword + ";";
        using (SqlConnection connection = new SqlConnection(ConnectionString))
        {
            try
            {
                connection.Open();
                return true;
            }
            catch(Exception)
            {
                return false;
            }
            finally
            {
                if(connection !=null)
                {
                    connection.Close();
                }
            }
        }            

    }

Answer 1

When working with Sql databases, string concatenations is pure evil. The correct way to do what you are trying is, replace this code:

    string connectionString = "Data Source=" + databaseHostname + "; " +
                          "Initial Catalog=" + databaseName + ";" +
                                  "User id=" + databaseUsername + ";" +
                                 "Password=" + databasePassword + ";";

with this code:

    string connectionString;

    try
    {
        var builder = new SqlConnectionStringBuilder();
        builder.DataSource = databaseHostname;
        builder.InitialCatalog = databaseName;
        builder.UserID = databaseUsername;
        builder.Password = databasePassword;

        connectionString = builder.ToString();
    }
    catch
    {
        return false;
    }