Arul Jesuraj

Arul Jesuraj

  • 1.6k
  • 109
  • 22.5k

Change this code to not construct SQL queries directly from user data

Jun 27 2023 5:36 AM

Hi,

I have a use case where dynamic sql query is cinstructed from a user input to the controller action method.

Even the TableName and ColumnName are inputs to the action. Query is constructed as below.

sqlQuery.Append("SELECT * From public."\"" + tableName + "\" WHERE \"" + attributeName + "\" = @attributeValue);

No issue with implementation. But, SONARQUBE raises critical below error.

Change this code to not construct SQL queries directly from user-controlled data

Please suggest how I can solve it. All the compliant solutions are not solving the issue.


Answers (1)