Remove SQL injection vulnerability from remove sync tracking tables code

StackOverflow https://stackoverflow.com/questions/20869517

Question

I am using Microsoft Sync Framework in my application for Synchronization of data.
For removing tracking table I am using below code. 

SqlCommand comm;
StringBuilder sb = new StringBuilder();
//Drop tracking table & triggers
sb.AppendFormat(@"
IF EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[{0}_tracking]') AND type in (N'U'))
DROP TABLE [dbo].[{0}_tracking]
IF EXISTS (SELECT * FROM sys.triggers WHERE object_id = OBJECT_ID(N'[dbo].[{0}_insert_trigger]'))
DROP TRIGGER [dbo].[{0}_insert_trigger]
IF EXISTS (SELECT * FROM sys.triggers WHERE object_id = OBJECT_ID(N'[dbo].[{0}_delete_trigger]'))
DROP TRIGGER [dbo].[{0}_delete_trigger]
IF EXISTS (SELECT * FROM sys.triggers WHERE object_id = OBJECT_ID(N'[dbo].[{0}_update_trigger]'))
DROP TRIGGER [dbo].[{0}_update_trigger]", tableName);

foreach (string procName in new string[] { "delete", "deletemetadata", "insert",    "insertmetadata", "update", "updatemetadata", "selectrow", "selectchanges" })
        {
sb.AppendFormat(@"IF EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[{0}_{1}]')  AND type in (N'P', N'PC'))
DROP PROCEDURE [dbo].[{0}_{1}]", tableName, procName);
        }
using (comm = new SqlCommand(sb.ToString(), conn))
{
conn.Open();
comm.ExecuteNonQuery();
conn.Close();
}

When I am running CAT.NET on the dll with this code it is showing SQL injection vulnerability.
Can anyone suggest how to remove this SQL injection issue.

For more information on the above code you can

Click here

Was it helpful?

Solution

Nothing you can do with that since you are relying on external DLL You can convert same into SP and try to avoid inline statements.

Hope helps.

OTHER TIPS

Why are you manually removing those objects and not simply run deprovisioning from within Sync Framework?

Even with your code above, you're not dropping the user defined table types as well.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top