none
Is CA2100 correct if the command text is a stored procedure? RRS feed

  • Question

  • Hi,

    In a related question there seems to be no discussion about the correctness of the "CA2100:Review SQL queries for security vulnerabilities" warning. If we imagine that the SqlCommand.CommandText comes from user input, but that the SqlCommand.CommandType == CommandType.StoredProcedure, is the warning still correct? I.e. is there still a security issue when CommandType.StoredProcedure is used? 

    Just to clarify, the SqlCommand would be used like this:

    var text = DialogBox.InputFromEvilUser;
    using (var conn = new SqlConnection(conStr))
    using (var comm = new SqlCommand(text, conn))  // <--- CA2100 here
    {
      comm.CommandType = CommandType.StoredProcedure;
      // SqlParameters, ExecuteNonQuery etc under here...
    }

    --
    Werner

    Tuesday, March 19, 2013 9:33 AM

Answers

  • I consider it valid. Without thinking at all what you are doing, you might end up executing system procedure that you don't want to execute.
    Tuesday, March 19, 2013 2:10 PM