CodeSOD: Injectables are Fun

, Software Pundits
This post was originally published on this site

The Daily WTF

Today, Morpheus sends us a SQL injection vulnerability. But it’s a peculiar version that only uses parameters. Let’s start with the bit that looks normal:

strStrBuilder.Append(” update sometable set “) strStrBuilder.Append(” SOMECOLUMN = :p_somevalue, “) strStrBuilder.Append(” rowuserid = :p_userid, “) strStrBuilder.Append(” rowtaskid = :p_taskid “) strStrBuilder.Append(” where id = :p_id”) strSQL = strStrBuilder.ToString

This is VB.Net code, and while I’m never a huge fan of building SQL queries by appending strings together, this is fine. It’s the rest of the context that makes it horrible:

Public Function SomeMethod(ByVal int1 As Integer, ByVal int2 As Integer, Optional ByVal strSQL As String = “”) As Boolean Dim intRecordsAffected As Integer = 0 Dim bResult As Boolean = False Dim strStrBuilder As New StringBuilder() If bUseLocalConnect Then m_cnn.Open() m_tx = m_cnn.BeginTransaction() End If If strSQL.Equals(String.Empty) Then strStrBuilder.Append(” update sometable set “) strStrBuilder.Append(” SOMECOLUMN = :p_somevalue, “) strStrBuilder.Append(” rowuserid = :p_userid, “)

To read the full article click on the 'post' link at the top.

Date

You May Also Like

A Tapestry of Threads

Error'd: Are You Old Enough to Know Better?

Perfect Uptime

Classic WTF: Working Around, Over and Through the Process

CodeSOD: Constantly Magic

CodeSOD: In House Refactoring

More Posts From: Software Pundits

Error'd: No Time Like the Present

CodeSOD: Don't Date Me

CodeSOD: Expressing a Leak

Representative Line: Broken Up With

COGNOS: Fast, Private & On-Demand Answers for Business Operations

CodeSOD: Where is the Validation At?