0

I'm trying to figure out on the proper way for the additional string validation. I have an SQL query below which is compiled on c#, detected by Checkmarkx application that the Row.Cells[2].Text is not properly sanitized/validated.

string qry =
    "SELECT * from table_name " +
    "WHERE column_name = @variable" +

var cmd = new SqlCommand(qry, con);
cmd.CommandTimeout = 500;
cmd.CommandType = CommandType.Text;

if (!Regex.IsMatch(Row.Cells[2].Text, @"\w{1-35}"))
    throw new ArgumentException("Invalid string");
string name = Row.Cells[2].Text;   // here is the line at which Cherkmarx detected as un-sanitized/un-validated.

cmd.Parameters.AddWithValue("@variable", name);
cmd.ExecuteNonQuery();

Due to this detection, I have added the Regex.IsMatch functionalities but somehow it is still detected as un-validated. Is there any other way that I can actually sanitized/validated the variable Row.Cells[2].Text through C# so that checkmarx does not detect this as an issue? What am I doing wrong here?

Improve this question
15
  • 1
    1) I don't see an INSERT query, 2) Parameters typically don't need to be "sanitized", what exactly does "checkmarx" look for? What does it consider "invalid"? Is it assuming that you're doing string concatanation instead of using SQL Parameters? Commented Jun 21, 2023 at 18:21
  • What happens if you do not assign it to the "name" variable and instead just use this? cmd.Parameters.AddWithValue("@variable", Row.Cells[2].Text); Commented Jun 21, 2023 at 18:24
  • @DStanley 1) I modified the question to remove the word "INSERT". 2) Since it is not properly "sanitized", checkmarx detected that this part could allow user to temper with the filter parameters. Commented Jun 21, 2023 at 18:25
  • @MelroyCoelho I previously did cmd.Parameters.AddWithValue("@variable", Row.Cells[2].Text); but the .Text is detected by the checkmarx to not properly validated. I've added the Regex functionality above the line but it still detects as the same issue. Commented Jun 21, 2023 at 18:27
  • 2
    You don't need to sanitize parameters, they are completely separate from code. Whatever tool you are using seems to be buggy, it should only trigger a warning if you use such values directly in the SQL text. Commented Jun 21, 2023 at 18:44
Related questions
7597
What is the difference between String and string in C#?
3490
How to make '.Contains(string)' case insensitive
2924
What are the correct version numbers for C#?
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.