C#-CWE-89

The product constructs all or part of an SQL command using externally influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream database

Required inputs: CSharpAST

This rule detects SQL injection vulnerabilities, where user input is concatenated directly into an SQL query string without proper parameterization or sanitization. Example of a safe implementation in C#:

public static void ExecuteSafeQuery(string userInput)
{
    using (var connection = new SqlConnection(connectionString))
    {
        connection.Open();
        using (var command = new SqlCommand(
            "SELECT * FROM Users WHERE Name = @name", connection))
        {
            command.Parameters.AddWithValue("@name", userInput);
            using (var reader = command.ExecuteReader())
            {
                while (reader.Read())
                {
                    Console.WriteLine(reader["Name"]);
                }
            }
        }
    }
}

Possible Messages

Key	Text	Severity	Disabled
tainted_call	This SQL command is built using raw input.	None	False

Options

• This rule shares the following common options: excludes, includes, justification_checker, post_processing, provider, severity

• The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

• This rule has no individual options.