The Daily WTF
Today, Morpheus sends us a SQL injection vulnerability. But it’s a peculiar version that only uses parameters. Let’s start with the bit that looks normal:
strStrBuilder.Append(” update sometable set “) strStrBuilder.Append(” SOMECOLUMN = :p_somevalue, “) strStrBuilder.Append(” rowuserid = :p_userid, “) strStrBuilder.Append(” rowtaskid = :p_taskid “) strStrBuilder.Append(” where id = :p_id”) strSQL = strStrBuilder.ToString
This is VB.Net code, and while I’m never a huge fan of building SQL queries by appending strings together, this is fine. It’s the rest of the context that makes it horrible:
Public Function SomeMethod(ByVal int1 As Integer, ByVal int2 As Integer, Optional ByVal strSQL As String = “”) As Boolean Dim intRecordsAffected As Integer = 0 Dim bResult As Boolean = False Dim strStrBuilder As New StringBuilder() If bUseLocalConnect Then m_cnn.Open() m_tx = m_cnn.BeginTransaction() End If If strSQL.Equals(String.Empty) Then strStrBuilder.Append(” update sometable set “) strStrBuilder.Append(” SOMECOLUMN = :p_somevalue, “) strStrBuilder.Append(” rowuserid = :p_userid, “)
To read the full article click on the 'post' link at the top.