Skip to content

Commit

Permalink
✨ (sonar) Fixed finding: "roslyn.sonaranalyzer.security.cs:S3649"
Browse files Browse the repository at this point in the history
  • Loading branch information
@pixeebot
pixeebot[bot] authored Sep 5, 2024
1 parent c681805 commit 2ebb203
Show file tree
Hide file tree
Showing 2 changed files with 100 additions and 74 deletions.
78 changes: 41 additions & 37 deletions WebGoat/App_Code/DB/MySqlDbProvider.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,18 +54,10 @@ public MySqlDbProvider(ConfigFile configFile)

public string Name { get { return DbConstants.DB_TYPE_MYSQL; } }


public bool TestConnection()
{
try
{
/*using (MySqlConnection connection = new MySqlConnection(_connectionString))
{
connection.Open();
MySqlCommand cmd = new MySqlCommand("select * from information_schema.TABLES", connection);
cmd.ExecuteNonQuery();
connection.Close();
}*/
MySqlHelper.ExecuteNonQuery(_connectionString, "select * from information_schema.TABLES");

return true;
Expand Down Expand Up @@ -115,13 +107,14 @@ public bool IsValidCustomerLogin(string email, string password)
string encoded_password = Encoder.Encode(password);

//check email/password
string sql = "select * from CustomerLogin where email = '" + email +
"' and password = '" + encoded_password + "';";
string sql = "select * from CustomerLogin where email = @Email and password = @Password;";

using (MySqlConnection connection = new MySqlConnection(_connectionString))
{
MySqlDataAdapter da = new MySqlDataAdapter(sql, connection);

da.SelectCommand.Parameters.AddWithValue("@Email", email);
da.SelectCommand.Parameters.AddWithValue("@Password", encoded_password);

//TODO: User reader instead (for all calls)
DataSet ds = new DataSet();

Expand Down Expand Up @@ -149,11 +142,12 @@ public string CustomCustomerLogin(string email, string password)
try
{
//get data
string sql = "select * from CustomerLogin where email = '" + email + "';";
string sql = "select * from CustomerLogin where email = @Email;";

using (MySqlConnection connection = new MySqlConnection(_connectionString))
{
MySqlDataAdapter da = new MySqlDataAdapter(sql, connection);
da.SelectCommand.Parameters.AddWithValue("@Email", email);
DataSet ds = new DataSet();
da.Fill(ds);

Expand Down Expand Up @@ -200,8 +194,9 @@ public string GetCustomerEmail(string customerNumber)

using (MySqlConnection connection = new MySqlConnection(_connectionString))
{
string sql = "select email from CustomerLogin where customerNumber = " + customerNumber;
string sql = "select email from CustomerLogin where customerNumber = @CustomerNumber";
MySqlCommand command = new MySqlCommand(sql, connection);
command.Parameters.AddWithValue("@CustomerNumber", customerNumber);
output = command.ExecuteScalar().ToString();
}
}
Expand All @@ -217,7 +212,7 @@ public DataSet GetCustomerDetails(string customerNumber)
string sql = "select Customers.customerNumber, Customers.customerName, Customers.logoFileName, Customers.contactLastName, Customers.contactFirstName, " +
"Customers.phone, Customers.addressLine1, Customers.addressLine2, Customers.city, Customers.state, Customers.postalCode, Customers.country, " +
"Customers.salesRepEmployeeNumber, Customers.creditLimit, CustomerLogin.email, CustomerLogin.password, CustomerLogin.question_id, CustomerLogin.answer " +
"From Customers, CustomerLogin where Customers.customerNumber = CustomerLogin.customerNumber and Customers.customerNumber = " + customerNumber;
"From Customers, CustomerLogin where Customers.customerNumber = CustomerLogin.customerNumber and Customers.customerNumber = @CustomerNumber";

DataSet ds = new DataSet();
try
Expand All @@ -226,6 +221,7 @@ public DataSet GetCustomerDetails(string customerNumber)
using (MySqlConnection connection = new MySqlConnection(_connectionString))
{
MySqlDataAdapter da = new MySqlDataAdapter(sql, connection);
da.SelectCommand.Parameters.AddWithValue("@CustomerNumber", customerNumber);
da.Fill(ds);
}

Expand Down Expand Up @@ -270,7 +266,7 @@ public DataSet GetComments(string productCode)

public string AddComment(string productCode, string email, string comment)
{
string sql = "insert into Comments(productCode, email, comment) values ('" + productCode + "','" + email + "','" + comment + "');";
string sql = "insert into Comments(productCode, email, comment) values (@ProductCode, @Email, @Comment);";
string output = null;

try
Expand All @@ -280,6 +276,9 @@ public string AddComment(string productCode, string email, string comment)
{
connection.Open();
MySqlCommand command = new MySqlCommand(sql, connection);
command.Parameters.AddWithValue("@ProductCode", productCode);
command.Parameters.AddWithValue("@Email", email);
command.Parameters.AddWithValue("@Comment", comment);
command.ExecuteNonQuery();
}
}
Expand All @@ -294,14 +293,16 @@ public string AddComment(string productCode, string email, string comment)

public string UpdateCustomerPassword(int customerNumber, string password)
{
string sql = "update CustomerLogin set password = '" + Encoder.Encode(password) + "' where customerNumber = " + customerNumber;
string sql = "update CustomerLogin set password = @Password where customerNumber = @CustomerNumber";
string output = null;
try
{

using (MySqlConnection connection = new MySqlConnection(_connectionString))
{
MySqlCommand command = new MySqlCommand(sql, connection);
command.Parameters.AddWithValue("@Password", Encoder.Encode(password));
command.Parameters.AddWithValue("@CustomerNumber", customerNumber);

int rows_added = command.ExecuteNonQuery();

Expand All @@ -319,15 +320,15 @@ public string UpdateCustomerPassword(int customerNumber, string password)
public string[] GetSecurityQuestionAndAnswer(string email)
{
string sql = "select SecurityQuestions.question_text, CustomerLogin.answer from CustomerLogin, " +
"SecurityQuestions where CustomerLogin.email = '" + email + "' and CustomerLogin.question_id = " +
"SecurityQuestions where CustomerLogin.email = @Email and CustomerLogin.question_id = " +
"SecurityQuestions.question_id;";

string[] qAndA = new string[2];

using (MySqlConnection connection = new MySqlConnection(_connectionString))
{
MySqlDataAdapter da = new MySqlDataAdapter(sql, connection);

da.SelectCommand.Parameters.AddWithValue("@Email", email);
DataSet ds = new DataSet();
da.Fill(ds);

Expand All @@ -351,8 +352,9 @@ public string GetPasswordByEmail(string email)
using (MySqlConnection connection = new MySqlConnection(_connectionString))
{
//get data
string sql = "select * from CustomerLogin where email = '" + email + "';";
string sql = "select * from CustomerLogin where email = @Email;";
MySqlDataAdapter da = new MySqlDataAdapter(sql, connection);
da.SelectCommand.Parameters.AddWithValue("@Email", email);
DataSet ds = new DataSet();
da.Fill(ds);

Expand Down Expand Up @@ -391,8 +393,9 @@ public DataSet GetOrders(int customerID)

using (MySqlConnection connection = new MySqlConnection(_connectionString))
{
string sql = "select * from Orders where customerNumber = " + customerID;
string sql = "select * from Orders where customerNumber = @CustomerNumber";
MySqlDataAdapter da = new MySqlDataAdapter(sql, connection);
da.SelectCommand.Parameters.AddWithValue("@CustomerNumber", customerID);
DataSet ds = new DataSet();
da.Fill(ds);

Expand All @@ -408,15 +411,16 @@ public DataSet GetProductDetails(string productCode)
string sql = string.Empty;
MySqlDataAdapter da;
DataSet ds = new DataSet();


using (MySqlConnection connection = new MySqlConnection(_connectionString))
{
sql = "select * from Products where productCode = '" + productCode + "'";
sql = "select * from Products where productCode = @ProductCode";
da = new MySqlDataAdapter(sql, connection);
da.SelectCommand.Parameters.AddWithValue("@ProductCode", productCode);
da.Fill(ds, "products");

sql = "select * from Comments where productCode = '" + productCode + "'";
sql = "select * from Comments where productCode = @ProductCode";
da = new MySqlDataAdapter(sql, connection);
da.Fill(ds, "comments");

Expand All @@ -439,12 +443,13 @@ public DataSet GetOrderDetails(int orderNumber)
"Customers.customerNumber = Orders.customerNumber " +
"and OrderDetails.productCode = Products.productCode " +
"and Orders.orderNumber = OrderDetails.orderNumber " +
"and OrderDetails.orderNumber = " + orderNumber;
"and OrderDetails.orderNumber = @OrderNumber";


using (MySqlConnection connection = new MySqlConnection(_connectionString))
{
MySqlDataAdapter da = new MySqlDataAdapter(sql, connection);
da.SelectCommand.Parameters.AddWithValue("@OrderNumber", orderNumber);
DataSet ds = new DataSet();
da.Fill(ds);

Expand All @@ -459,8 +464,9 @@ public DataSet GetPayments(int customerNumber)
{
using (MySqlConnection connection = new MySqlConnection(_connectionString))
{
string sql = "select * from Payments where customerNumber = " + customerNumber;
string sql = "select * from Payments where customerNumber = @CustomerNumber";
MySqlDataAdapter da = new MySqlDataAdapter(sql, connection);
da.SelectCommand.Parameters.AddWithValue("@CustomerNumber", customerNumber);
DataSet ds = new DataSet();
da.Fill(ds);

Expand All @@ -482,22 +488,24 @@ public DataSet GetProductsAndCategories(int catNumber)
string sql = string.Empty;
MySqlDataAdapter da;
DataSet ds = new DataSet();

//catNumber is optional. If it is greater than 0, add the clause to both statements.
string catClause = string.Empty;
if (catNumber >= 1)
catClause += " where catNumber = " + catNumber;

catClause += " where catNumber = @CatNumber";

using (MySqlConnection connection = new MySqlConnection(_connectionString))
{

sql = "select * from Categories" + catClause;
da = new MySqlDataAdapter(sql, connection);
if (catNumber >= 1) da.SelectCommand.Parameters.AddWithValue("@CatNumber", catNumber);
da.Fill(ds, "categories");

sql = "select * from Products" + catClause;
da = new MySqlDataAdapter(sql, connection);
if (catNumber >= 1) da.SelectCommand.Parameters.AddWithValue("@CatNumber", catNumber);
da.Fill(ds, "products");


Expand All @@ -514,12 +522,13 @@ public DataSet GetProductsAndCategories(int catNumber)

public DataSet GetEmailByName(string name)
{
string sql = "select firstName, lastName, email from Employees where firstName like '" + name + "%' or lastName like '" + name + "%'";
string sql = "select firstName, lastName, email from Employees where firstName like @Name or lastName like @Name";


using (MySqlConnection connection = new MySqlConnection(_connectionString))
{
MySqlDataAdapter da = new MySqlDataAdapter(sql, connection);
da.SelectCommand.Parameters.AddWithValue("@Name", name + "%");
DataSet ds = new DataSet();
da.Fill(ds);

Expand All @@ -536,13 +545,7 @@ public string GetEmailByCustomerNumber(string num)
try
{

output = (String)MySqlHelper.ExecuteScalar(_connectionString, "select email from CustomerLogin where customerNumber = " + num);
/*using (MySqlConnection connection = new MySqlConnection(_connectionString))
{
string sql = "select email from CustomerLogin where customerNumber = " + num;
MySqlCommand cmd = new MySqlCommand(sql, connection);
output = (string)cmd.ExecuteScalar();
}*/
output = (String)MySqlHelper.ExecuteScalar(_connectionString, "select email from CustomerLogin where customerNumber = @CustomerNumber", new MySqlParameter("@CustomerNumber", num));

}
catch (Exception ex)
Expand All @@ -556,12 +559,13 @@ public string GetEmailByCustomerNumber(string num)

public DataSet GetCustomerEmails(string email)
{
string sql = "select email from CustomerLogin where email like '" + email + "%'";
string sql = "select email from CustomerLogin where email like @Email";


using (MySqlConnection connection = new MySqlConnection(_connectionString))
{
MySqlDataAdapter da = new MySqlDataAdapter(sql, connection);
da.SelectCommand.Parameters.AddWithValue("@Email", email + "%");
DataSet ds = new DataSet();
da.Fill(ds);

Expand Down
Loading

0 comments on commit 2ebb203

Please sign in to comment.