Sonarqube 表示违反 csharpsquid:S3649 - 用户提供的值应在用于 SQL 语句之前进行清理 [英] Sonarqube indicates violation of csharpsquid:S3649 - User-provided values should be sanitized before use in SQL statements

问题描述

在我们的代码的 sonarqube 扫描中，我发现了一些违反 csharpsquid:S3649 的问题 - 用户提供的值在用于 SQL 语句之前应该进行清理.我认为我的代码是合规的，其他人能否解释一下为什么它被标记为不合规?

In a sonarqube scan of our code, I have a number of violations of csharpsquid:S3649 - User-provided values should be sanitized before use in SQL statements. I think that my code is compliant, can anyone else shed some light as to why this is flagged as non-compliant?

string connectionString = DatabaseContext.GetiXDataConnectionString();

string sql = "SELECT UserID FROM SystemUsers " +
             "Where WindowsLogonName = @WindowsLogon and DomainName = @WindowsDomain and " +
              "[Disabled] = 0";

using (SqlConnection conn = new SqlConnection(connectionString))
{
 conn.Open();

 using (SqlCommand cmd = new SqlCommand(sql, conn))
 {
  cmd.Parameters.Add(new SqlParameter("@WindowsLogon", windowsUsername));
  cmd.Parameters.Add(new SqlParameter("@WindowsDomain", userDomain));
  object queryResult = cmd.ExecuteScalar();

  if (queryResult != null)
     return queryResult.ToString();
  }
}

推荐答案

报错是因为sql 变量不是常量.如果您将代码更改为(这通常不是一件坏事)，问题就会消失:

It complains because the sql variable is not a constant. The issue will disappear if you change your code to (which in general is not a bad thing):

<代码>常量字符串 sql = "..." + "..." + "...";

S3649 是一个非常简单的规则，当执行的 SQL 不是常量字符串时引发.它远非真正的污点分析检查，但它可以捕捉到最简单、最明显的错误.

S3649 is a very simple rule that raises when the executed SQL is not constant string. It is far from a real taint analysis check, but it can catch the simplest and most obvious mistakes.

这篇关于Sonarqube 表示违反 csharpsquid:S3649 - 用户提供的值应在用于 SQL 语句之前进行清理的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！