问题
In a sonarqube scan of our code, I have a number of violations of csharpsquid:S3649 - User-provided values should be sanitized before use in SQL statements. I think that my code is compliant, can anyone else shed some light as to why this is flagged as non-compliant?
string connectionString = DatabaseContext.GetiXDataConnectionString();
string sql = "SELECT UserID FROM SystemUsers " +
"Where WindowsLogonName = @WindowsLogon and DomainName = @WindowsDomain and " +
"[Disabled] = 0";
using (SqlConnection conn = new SqlConnection(connectionString))
{
conn.Open();
using (SqlCommand cmd = new SqlCommand(sql, conn))
{
cmd.Parameters.Add(new SqlParameter("@WindowsLogon", windowsUsername));
cmd.Parameters.Add(new SqlParameter("@WindowsDomain", userDomain));
object queryResult = cmd.ExecuteScalar();
if (queryResult != null)
return queryResult.ToString();
}
}
回答1:
It complains because the sql variable is not a constant. The issue will disappear if you change your code to (which in general is not a bad thing):
const string sql = "..." + "..." + "...";
S3649 is a very simple rule that raises when the executed SQL is not constant string. It is far from a real taint analysis check, but it can catch the simplest and most obvious mistakes.
来源:https://stackoverflow.com/questions/49282655/sonarqube-indicates-violation-of-csharpsquids3649-user-provided-values-should