1

I am using contrast security (third party tool that indicates SQL Injection, Vulnerabilities) and entity framework, my code is like this:

public int Insert(UserAddress userAddress)
{
    _context.Entry(userAddress).State = EntityState.Added;
    _context.SaveChanges();
    return userAddress.Id;
}

When SaveChanges() gets executed, an insert query is generated like this:

INSERT [dbo].[Address] ([UserId], [Name], [Address1], [Address2],
                        [City], [State], [PostalCode], 
                        [Location], [LocationTypeId],
                        [BusinessName], [DeliveryInstructions],
                        [IsDefault], [SortOrder])
VALUES ('111111a1-22z2-33x3-44y4-fbad42c09c3a', @2, 'address1', null,
        'Alpharetta', 'GA', 30005,
        'POINT (-80.2427068 30.0925161)', 0,
        '', '',
        1, 0)

Now, according to contrast security, passing "null" in query is not ethical, it's bad practice - but I want to allow null values!

Can I pass null values using SQL parameters to the SaveChanges() method?

Is there any way to handle this? Does anyone have any idea?

Ankush
  • 11
  • 2
  • Why not convert null values to empty strings? – Rob Anthony Oct 31 '17 at 13:57
  • Compose a [ViewModel](https://stackoverflow.com/questions/11064316/what-is-viewmodel-in-mvc) of the fields you need, then map it to your entity model before saving. – Steve Greene Oct 31 '17 at 18:47
  • @robAnthody, I have many store procedures there, that checks IS NOT NULL in where clause, So I dont think empty string will be good approach! – Ankush Nov 01 '17 at 06:08
  • @SteveGreene thats already done in code, still query is generated like above – Ankush Nov 01 '17 at 06:10
  • I don't understand the vulnerability. I recall some debate on relational DB design related to that issue: https://dba.stackexchange.com/questions/5222/why-shouldnt-we-allow-nulls – Steve Greene Nov 01 '17 at 12:56

1 Answers1

1

I'm one of the developers for Contrast Security .NET agent. It does sound like a false positive with our product. There should not be any problems with using nulls in insert statements.

Could you please submit a support request and include your finding trace xml? We'll be happy to take a look and fix this issue on our end.

Lev D
  • 31
  • 3
  • 1
    Can you please let me know how or where to submit support request ? – Ankush Nov 28 '17 at 13:12
  • 1
    Hi Ankush, please go to https://support.contrastsecurity.com to open up a support request or send an email to support@contrastsecurity.com. If you could, please export your vulnerability finding to XML and include it with your ticket. My team will be in touch with you. Thanks! – Lev D Nov 30 '17 at 19:45