/*
* This reference program was developed in March 2011 as part of CIT599
* Independent Research by Hamda Hasan
* 
* This code implements CWE-089: http://cwe.mitre.org
*
* The code updates database table with validating input variables
*/
using System;
using System.Collections.Generic;
using System.Text;
using System.Data;
using System.Data.SqlClient;

class SQL_Injection_scope_89{
    public SQL_Injection_scope_89() { }
    private string getUser(){
        return "foo";
    }
    public int updateTable(SqlConnection conn, string newEmail){
        SqlCommand command = conn.CreateCommand();
        int rowsAffected = 0;
        string username = getUser();
        string updateQuery = "UPDATE Account SET [email]=@newEmail WHERE user=@username";
        command.CommandText = updateQuery;

        SqlParameter dbPramUser = new SqlParameter();
        dbPramUser.ParameterName = "@username";
        dbPramUser.SqlDbType = SqlDbType.VarChar;
        dbPramUser.Value = username;
        command.Parameters.Add(dbPramUser);

        SqlParameter dbPramEmail = new SqlParameter();
        dbPramEmail.ParameterName = "@newEmail";
        dbPramEmail.SqlDbType = SqlDbType.VarChar;
        dbPramEmail.Value = newEmail;
        command.Parameters.Add(dbPramEmail);

        try{
            rowsAffected = command.ExecuteNonQuery();
        }
        finally{
        }
        return rowsAffected;
    }
    static void Main(string[] args){
        SQL_Injection_scope_89 obj = new SQL_Injection_scope_89();
        string connectionString = "Server=server.com;User=name;Password=123123;Database=database";
        SqlConnection con = new SqlConnection(connectionString);
		Console.WriteLine("Enter Email: ");
        string email = Console.ReadLine();
        obj.updateTable(con, email);
    }
}