在我们的代码的 sonarqube 扫描中,我发现了一些违反 csharpsquid:S3649 的问题 - 用户提供的值在用于 SQL 语句之前应该进行清理.我认为我的代码是合规的,其他人能否解释一下为什么它被标记为不合规?
In a sonarqube scan of our code, I have a number of violations of csharpsquid:S3649 - User-provided values should be sanitized before use in SQL statements. I think that my code is compliant, can anyone else shed some light as to why this is flagged as non-compliant?
string connectionString = DatabaseContext.GetiXDataConnectionString();
string sql = "SELECT UserID FROM SystemUsers " +
"Where WindowsLogonName = @WindowsLogon and DomainName = @WindowsDomain and " +
"[Disabled] = 0";
using (SqlConnection conn = new SqlConnection(connectionString))
{
conn.Open();
using (SqlCommand cmd = new SqlCommand(sql, conn))
{
cmd.Parameters.Add(new SqlParameter("@WindowsLogon", windowsUsername));
cmd.Parameters.Add(new SqlParameter("@WindowsDomain", userDomain));
object queryResult = cmd.ExecuteScalar();
if (queryResult != null)
return queryResult.ToString();
}
}
报错是因为sql
变量不是常量.如果您将代码更改为(这通常不是一件坏事),问题就会消失:
It complains because the sql
variable is not a constant. The issue will disappear if you change your code to (which in general is not a bad thing):
<代码>常量字符串 sql = "..." + "..." + "...";
S3649 是一个非常简单的规则,当执行的 SQL 不是常量字符串时引发.它远非真正的污点分析检查,但它可以捕捉到最简单、最明显的错误.
S3649 is a very simple rule that raises when the executed SQL is not constant string. It is far from a real taint analysis check, but it can catch the simplest and most obvious mistakes.
这篇关于Sonarqube 表示违反 csharpsquid:S3649 - 用户提供的值应在用于 SQL 语句之前进行清理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!