Language: VB.NET | Type: VULNERABILITY | Severity: Major
Tags: cwe, bad-practice, sql, former-hotspot
Dynamically building SQL query strings can result in broken SQL syntax and open SQL injection attacks.
When SQL queries are constructed by concatenating or formatting user-supplied values directly into the query string, the structure of the query itself can be altered by a malicious input. This rule flags calls to SQL execution functions where the query string is built using string concatenation or format operators rather than parameterized queries or prepared statements. Unlike rule {rule:vbnet:S3649}, this rule does not perform taint analysis — it flags all dynamically formatted SQL queries as a potential risk regardless of the data source.
If any part of a dynamically formatted query string originates from untrusted input, an attacker can manipulate the query to read, modify, or delete data they should not have access to, bypass authentication checks, or in some configurations execute operating system commands.
The following code builds a SQL query by concatenating a value directly into the query string.
Public Sub SqlCommands(ByVal connection As SqlConnection, ByVal query As String, ByVal param As String)
Dim sensitiveQuery As String = String.Concat(query, param)
command = New SqlCommand(sensitiveQuery) ' Noncompliant
command.CommandText = sensitiveQuery ' Noncompliant
Dim adapter As SqlDataAdapter
adapter = New SqlDataAdapter(sensitiveQuery, connection) ' Noncompliant
End Sub
Public Sub Foo(ByVal context As DbContext, ByVal query As String, ByVal param As String)
Dim sensitiveQuery As String = String.Concat(query, param)
context.Database.ExecuteSqlCommand(sensitiveQuery) ' Noncompliant
context.Query(Of User)().FromSql(sensitiveQuery) ' Noncompliant
End Sub
Public Sub Foo(ByVal context As DbContext, ByVal value As String)
context.Database.ExecuteSqlCommand("SELECT * FROM mytable WHERE mycol=@p0", value) ' Compliant, the query is parameterized
End Sub