Home

Database queries should not be vulnerable to injection attacks

Rule description

  • Database queries should not be vulnerable to injection attacks

 

Non-compliant Code Example

string query = "Delete FROM employee WHERE emp_id = '" + ls_valor + "'" // Possible sql injection
string query = "Select * FROM Users WHERE Username = '" + ls_valor + "'" // Possible sql injection
string query = "Insert INTO employee(emp_id) Values('" + ls_valor + "')" // Possible sql injection
string query = "SELECT emp_id FROM employee WHERE " + ls_where // Possible sql injection
Visual Expert 2020
 VEPBRULE7