-1

The method RetrieveTableDisplay() invokes a SQL query built using input coming from an untrusted source. This call could allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.

string sql = 
    SqlHelper.GetSqlString(Constants.RetrieveTableDisplay) + tableName + 
    " WHERE ACCOUNT_NBR='" + AccountNumber + 
    "' ORDER BY " + GenerateOrderByClause(tableName) + " ) a ) where rn > " +
    (currentPageNumber * currentPageSize).ToString() + " AND rn <= " +
    ((currentPageNumber * currentPageSize) + currentPageSize).ToString();

string recordCount = 
    "select count(*) from " + tableName + 
    " WHERE ACCOUNT_NBR='" + AccountNumber + "'";
    //Issue is somewhere here of sql injection

if (!Utils.IsUnitTestCase)
{
    try
    {
        using (DbCommand cmd =
               OraDB.GetSqlStringCommand(this.ProcessTableName(sql)))
        {
            using (IDataReader reader = OraDB.ExecuteReader(cmd))
            {
                object o = OraDB.ExecuteScalar(CommandType.Text, recordCount);
                if (o != null)
                {
                    lstEntities.TotalRecords = Convert.ToInt32(o);
                }

                while (reader.Read())
                {
                    objBasTransactionLog = new BASTransactionLog();
                    PopulateEntity(objBasTransactionLog, reader);

                    lstEntities.Add(objBasTransactionLog);
                }
            }
        }
    }
}

Custom Recommendations:

The remedy is to never use string concatenation to build SQL statements. Prepared statements, also called placeholders, should be used to build SQL statements.

Zoran Horvat
  • 10,924
  • 3
  • 31
  • 43
John Dave
  • 79
  • 1
  • 12
  • So you're dumping the result of a code audit here and expect us to fix it for you so you don't have to do _any_ effort at all to researching and solving this issue? Start again by reading the [tour] and [ask]. – CodeCaster Sep 06 '16 at 10:35
  • sorry that i asked this question to genius people like you. If you cant help atleast dont embarrass anybody. i have solved it by myself . But i feel pity on you that you are not having tym to resolve the issue but to embarrass yo have a lot of time. – John Dave Sep 19 '16 at 08:02
  • The problem is that your question isn't answerable, because there's no question in it. – CodeCaster Sep 19 '16 at 08:17

1 Answers1

0

The recommended way to guard against SQL injection is to use SqlParameter. Do not add parameter values using string concatentation.

See Using Parameters for SQL Server Queries and Stored Procedures

Georg Patscheider
  • 9,357
  • 1
  • 26
  • 36