I have an urgent requirement that has to be implemented with regard to sql Injections.
My application went for security scanning process and found few security threats with regard to sql injection. we need your valuable support and guidelines to proceed further.
Project Details: Windows application, VS2008
Data Base: Sql Server 2008.
Listed out the issues type and its details elaborately:
Threat 1: During connection initialization
SqlConnection connection = new SqlConnection(connectionString);
At this line there is a chance of security threat. we are getting the connection string parameter from web.config as below
private static readonly string connectionString = ConfigurationManager.AppSettings["ConnectionString"];
Flaw Information
Type: Untrusted Initialization
Issue: External Control of System or Configuration Setting
Attack Vector: system_data_dll.System.Data.SqlClient.SqlConnection.!newinit_0_1
Function: int ExecuteNonQuery(string, System.Data.CommandType, string,
System.Data.SqlClient.SqlParameter[])
Threat 2 :
Type: SQL Injection
Issue: Improper Neutralization of Special Elements used in an SQL Command ('SQLInjection')
Attack Vector: system_data_dll.System.Data.IDbCommand.ExecuteNonQuery
Function: int FetchSPExecutedReturnValue(string, System.Collections.IDictionary)
Threat Line:
1. command.ExecuteNonQuery();
There are few more similar threats same as above. pointed out the threat line:
2. dataReader = command.ExecuteReader();
3. adapter.Fill(ds);
4. dataReader = cmd.ExecuteReader(CommandBehavior.CloseConnection);
One more thing like we are not at all passing any queries to DB. All the inputs are passed as a parameters.
I am not sure what kind of threat is there with this ( executeNonQuery(), Fill(dataset) and Connection initialization) and how to defend from malicious code/vulnerabilities.
Please help me out....