Hi, @Mark McCumber ,
Based on CA2100: Review SQL queries for security vulnerabilities.
This rule assumes that any string, whose value can't be determined at compile time, may contain user input. A SQL command string that is built from user input is vulnerable to SQL injection attacks. In a SQL injection attack, a malicious user supplies input that alters the design of a query in an attempt to damage or gain unauthorized access to the underlying database. Typical techniques include injection of a single quotation mark or apostrophe, which is the SQL literal string delimiter; two dashes, which signifies a SQL comment; and a semicolon, which indicates that a new command follows. If user input must be part of the query, use one of the following, listed in order of effectiveness, to reduce the risk of attack.
Use a stored procedure.
Use a parameterized command string.
- Validate the user input for both type and content before you build the command string.'
You can refer to the following code to use a parameterized command string, you can also refer to the example in the document I provided above.
Dim strSQL As String = "SELECT * FROM @tableName"
Dim cmd As New SqlCommand(strSQL, connection)
cmd.Parameters.AddWithValue("@tableName", tableName)
Dim reader As SqlDataReader = cmd.ExecuteReader()
Best Regards.
Jiachen Li
If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.