← back to index

S2077 — SQL queries should not be dynamically formatted

Language: VB.NET  |  Type: VULNERABILITY  |  Severity: Major

Tags: cwe, bad-practice, sql, former-hotspot

Dynamically building SQL query strings can result in broken SQL syntax and open SQL injection attacks.

Why is this an issue?

When SQL queries are constructed by concatenating or formatting user-supplied values directly into the query string, the structure of the query itself can be altered by a malicious input. This rule flags calls to SQL execution functions where the query string is built using string concatenation or format operators rather than parameterized queries or prepared statements. Unlike rule {rule:vbnet:S3649}, this rule does not perform taint analysis — it flags all dynamically formatted SQL queries as a potential risk regardless of the data source.

What is the potential impact?

SQL injection

If any part of a dynamically formatted query string originates from untrusted input, an attacker can manipulate the query to read, modify, or delete data they should not have access to, bypass authentication checks, or in some configurations execute operating system commands.

How to fix it

Code examples

The following code builds a SQL query by concatenating a value directly into the query string.

Noncompliant code example

Public Sub SqlCommands(ByVal connection As SqlConnection, ByVal query As String, ByVal param As String)
    Dim sensitiveQuery As String = String.Concat(query, param)
    command = New SqlCommand(sensitiveQuery) ' Noncompliant

    command.CommandText = sensitiveQuery ' Noncompliant

    Dim adapter As SqlDataAdapter
    adapter = New SqlDataAdapter(sensitiveQuery, connection) ' Noncompliant
End Sub

Public Sub Foo(ByVal context As DbContext, ByVal query As String, ByVal param As String)
    Dim sensitiveQuery As String = String.Concat(query, param)
    context.Database.ExecuteSqlCommand(sensitiveQuery) ' Noncompliant

    context.Query(Of User)().FromSql(sensitiveQuery) ' Noncompliant
End Sub

Compliant solution

Public Sub Foo(ByVal context As DbContext, ByVal value As String)
    context.Database.ExecuteSqlCommand("SELECT * FROM mytable WHERE mycol=@p0", value) ' Compliant, the query is parameterized
End Sub

Resources

Articles & blog posts

Standards