/* * This reference program was developed in March 2011 as part of CIT599 * Independent Research by Hamda Hasan * * This code implements CWE-089: http://cwe.mitre.org * * The code updates database table with validating input variables */ using System; using System.Collections.Generic; using System.Text; using System.Data; using System.Data.SqlClient; class SQL_Injection_loop_89{ public SQL_Injection_loop_89() { } public int updateTable(SqlConnection conn, string username, string newEmail){ SqlCommand command = conn.CreateCommand(); int rowsAffected = 0; bool flag = true; while (flag){ string updateQuery = "UPDATE Account SET [email]=@newEmail WHERE user=@username"; command.CommandText = updateQuery; SqlParameter dbPramUser = new SqlParameter(); dbPramUser.ParameterName = "@username"; dbPramUser.SqlDbType = SqlDbType.VarChar; dbPramUser.Value = username; command.Parameters.Add(dbPramUser); SqlParameter dbPramEmail = new SqlParameter(); dbPramEmail.ParameterName = "@newEmail"; dbPramEmail.SqlDbType = SqlDbType.VarChar; dbPramEmail.Value = newEmail; command.Parameters.Add(dbPramEmail); try{ rowsAffected = command.ExecuteNonQuery(); } finally{ } flag = false; } return rowsAffected; } static void Main(string[] args) { SQL_Injection_loop_89 obj = new SQL_Injection_loop_89(); string connectionString = "Server=server.com;User=name;Password=123123;Database=database"; SqlConnection con = new SqlConnection(connectionString); Console.WriteLine("Enter Username: "); string user = Console.ReadLine(); Console.WriteLine("Enter Email: "); string email = Console.ReadLine(); obj.updateTable(con, user, email); } }