CodeSOD: Injectables are Fun

This post was originally published on this site

The Daily WTF

Today, Morpheus sends us a SQL injection vulnerability. But it’s a peculiar version that only uses parameters. Let’s start with the bit that looks normal:

strStrBuilder.Append(” update sometable set “) strStrBuilder.Append(” SOMECOLUMN = :p_somevalue, “) strStrBuilder.Append(” rowuserid = :p_userid, “) strStrBuilder.Append(” rowtaskid = :p_taskid “) strStrBuilder.Append(” where id = :p_id”) strSQL = strStrBuilder.ToString

This is VB.Net code, and while I’m never a huge fan of building SQL queries by appending strings together, this is fine. It’s the rest of the context that makes it horrible:

Public Function SomeMethod(ByVal int1 As Integer, ByVal int2 As Integer, Optional ByVal strSQL As String = “”) As Boolean Dim intRecordsAffected As Integer = 0 Dim bResult As Boolean = False Dim strStrBuilder As New StringBuilder() If bUseLocalConnect Then m_cnn.Open() m_tx = m_cnn.BeginTransaction() End If If strSQL.Equals(String.Empty) Then strStrBuilder.Append(” update sometable set “) strStrBuilder.Append(” SOMECOLUMN = :p_somevalue, “) strStrBuilder.Append(” rowuserid = :p_userid, “)

To read the full article click on the 'post' link at the top.