Improper neutralization of special elements used in an SQLCOMMAND('sql injection')

anand babu 1 Reputation point
2021-06-04T09:17:28.543+00:00

Hello everyone,
Please help with this SQL Injection flaw of veracode and refer to below code.

Recommendations:
Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate user-supplied input to ensure that it conforms to the expected format, using centralized data validation routines when possible.

Source code:

Public Sub AddParameter(ByVal parmName As String, ByVal parmValue As String, _
ByVal parmType As SqlDbType, ByVal parmDirection As Direction, _
Optional ByVal parmSize As Integer = 0)

Dim Parameter As SqlParameter
DIM parms As ArrayList
parmDirection = Direction.input Then
Parameter = New SqlParameter(parmName, parmValue)
Parameter.Direction = ParameterDirection.Input
Parameter.SqlDbType = parmType
parms.Add(Parameter)
End Sub

'calling function to DB call and addparameter functions
Public Function Employeenumber(ByVal ENumber As String) As Boolean
Try
DBAccessor = New DBAccessor.DBAccessor
DBAccessor.LookupConnectionString("Sample")
DBAccessor.setCmdText("StoredProcedurename")
DBAccessor.AddParameter("@parametername", Nothing, SqlDbType.VarChar, DBAccessor.DBAccessor.Direction.input)
objDataset = DBAccessor.MakeDBCall
Return True
Catch ex As Exception
Return False
Finally
DBAccessor.CloseConnection()
DBAccessor = Nothing
End Try
End Function

Public Function MakeDBCall() As DataSet

Try

Dim DataSet As DataSet = New DataSet
Dim Command As New SqlCommand

Dim i As Integer
Con = New SqlConnection(connectionString)
'Open connection and set the adapater for a stored procedure.
Con.Open()
Adapter.SelectCommand = Command
Adapter.SelectCommand.Connection = Con
Adapter.SelectCommand.CommandType = CommandType.StoredProcedure'type stored procedure
Adapter.SelectCommand.CommandText = cmdText'StoredProcedure name

'Add parameters
For i = 0 To (parms.Count - 1)
Adapter.SelectCommand.Parameters.Add(parms(i))
Next

Adapter.Fill(DataSet)
Return DataSet

Catch ex As Exception

Return Nothing
End Try

End Function

.NET
.NET
Microsoft Technologies based on the .NET software framework.
3,395 questions
ASP.NET
ASP.NET
A set of technologies in the .NET Framework for building web applications and XML web services.
3,270 questions
VB
VB
An object-oriented programming language developed by Microsoft that is implemented on the .NET Framework. Previously known as Visual Basic .NET.
2,578 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Michael Taylor 48,576 Reputation points
    2021-06-04T15:19:20.517+00:00

    I don't see any vulnerability. Can you please clarify exactly where this is being reported at or is this coming from some security scanner that you ran that can possibly report false positives.

    To prevent SQL injection all you really need do is ensure that you never set CommandText of a command to input provided by an end user or containing string concatenation of user input. That is what parameters are for. It looks like you're doing that here so SQL injection shouldn't be a problem.

  2. Karen Payne MVP 35,036 Reputation points
    2021-06-05T03:52:17.453+00:00

    I agree with @Michael Taylor in regards to not seeing vulnerabilities.

    • One should always consider All Input as Evil from users.
    • Execute statements with Least Privilege permissions so if a hacker does figure out getting into your backend they are constrained e.g. can't drop a table.
    • Although not part of what's shown, always encrypt connection strings, most coders never consider this.
    • Failing Gracefully, no exception handling can possible lead a hacker down a path to a better understanding of your data
    • Consider sanitizing methods, Avoiding Security and Usability Disasters
    • Don't see using stored procedures as protection against attacks.
    • Check out the following cheat sheet for common attacks
    0 comments
  3. anand babu 1 Reputation point
    2021-06-07T14:08:44.18+00:00

    Is there any way I can bypass this flaw in a vercode static scan?