SQL injection--Improper Neutralization of Special Elements used in an SQL Command
Hi Team,Let me know in the below code how can convert dynamic SQL query into parameterized query.So that we can fix this flaw.
if (dbTrans == null) dbConn.Open();
switch (provider)
{
case DbProvider.ODBC:
DbCommand odbcCmd = new OdbcCommand();
odbcCmd.Connection = dbConn;
odbcCmd.CommandText = sqlStatement;
odbcCmd.CommandType = sqlType;
odbcCmd.Transaction = dbTrans;
odbcCmd.CommandTimeout = queryTimeOut;
PopulateCmdParameters(odbcCmd.Parameters);
odbcCmd.ExecuteNonQuery();
break;
case DbProvider.OLE:
DbCommand oleCmd = new OleDbCommand();
oleCmd.Connection = dbConn;
oleCmd.CommandText = sqlStatement;
oleCmd.CommandType = sqlType;
oleCmd.Transaction = dbTrans;
oleCmd.CommandTimeout = queryTimeOut;
PopulateCmdParameters(oleCmd.Parameters);
oleCmd.ExecuteNonQuery();
break;
case DbProvider.SQL:
DbCommand sqlCmd = new SqlCommand();
sqlCmd.Connection = dbConn;
sqlCmd.CommandText = sqlStatement;
sqlCmd.CommandType = sqlType;
sqlCmd.Transaction = dbTrans;
sqlCmd.CommandTimeout = queryTimeOut;
PopulateCmdParameters(sqlCmd.Parameters);
sqlCmd.ExecuteNonQuery();
break;
}