sql server - VeraCode complains SQL injection when my prepared statement has a dynamic database name - Stack Overflow

IT技术

更新时间：2025-02-041

admin管理员组
文章数量:1200986

My project needs to access a SQL Server which has hundreds databases in it. All those databases have same tables structure

So I need to query those data like this:

select * 
from {0}.dbo.tableA 
where fieldA = ?

The {0} will be replaced with a dynamic database name before prepared statement is created.

Those dynamic database name comes from a server scan and users has no way to input.

VeraCode complains this code and think it has SQL injection risk.

But VeraCode didn't complain if this query has no dynamic database name. And VeraCode didn't complain if this query has no query parameter.

I also tried connection.setCatalog to avoid dynamic database name and found it is not allowed in VeraCode

I also tried to do DbName validation before replacing and still failed in VeraCode

I am confused how VeraCode decide if it has SQL injection risk.

My project needs to access a SQL Server which has hundreds databases in it. All those databases have same tables structure

So I need to query those data like this:

select * 
from {0}.dbo.tableA 
where fieldA = ?

The {0} will be replaced with a dynamic database name before prepared statement is created.

Those dynamic database name comes from a server scan and users has no way to input.

VeraCode complains this code and think it has SQL injection risk.

But VeraCode didn't complain if this query has no dynamic database name. And VeraCode didn't complain if this query has no query parameter.

I also tried connection.setCatalog to avoid dynamic database name and found it is not allowed in VeraCode

I also tried to do DbName validation before replacing and still failed in VeraCode

I am confused how VeraCode decide if it has SQL injection risk.

Share Improve this question edited Jan 22 at 14:10 asked Jan 21 at 20:19 Justin 1,12011 silver badges31 bronze badges

Veracode documentation docs.veracode.com/r/… – Bart McEndree Commented Jan 21 at 20:49
It might be warning of scenarios similar to {0} replaced with: ValidTableName WHERE 1=2; Malicious Command Here; -- Resulting in select * from ValidTableName WHERE 1=2; Malicious Command Here; --.dbo.tableA where fieldA=? – Bart McEndree Commented Jan 21 at 20:56
Veracode probably does not check for the source of {0} and flags any SQL statement that uses string replacement in this way. stackoverflow.com/questions/50733147/… – Bart McEndree Commented Jan 21 at 21:05
Best advice: stackoverflow.com/questions/78027431/… – Bart McEndree Commented Jan 21 at 21:09
Veracode has no way of knowing if a disgruntled former privileged user might have created a database named [thing; do something bad here; --] and another called [thing]]; do something bad here; --] (just to cover the [{0}] injection case). Theoretically, it might also be the case that someone exploits a vulnerability that only allows them to create an arbitrarily-named database. The SQL injection would be the missing link to gaining complete access (the needed hole in the swiss cheese model). – T N Commented Jan 22 at 4:28

| Show 3 more comments

1 Answer 1

Sorted by: Reset to default 1

If you have dbname validation you can ignore this issue. https://docs.veracode.com/r/Ignored_Issues

本文标签：

版权声明：本文标题：sql server - VeraCode complains SQL injection when my prepared statement has a dynamic database name - Stack Overflow 内容由网友自发贡献，该文观点仅代表作者本人，转载请联系作者并注明出处：http://www.betaflare.com/web/1738600616a2102044.html，本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容，一经查实，本站将立刻删除。

更多相关文章

hooks - How to read and write session data?

IT技术

28分钟前

My website requires users to complete their profile before they can place an order. So far, I have been able to redirect

javascript - How to protect a private REST API in an AJAX app - Stack Overflow

IT技术

28分钟前

I know that there are many similar questions posted, but none of them refers to an HTMLjavascript app

javascript - jQuery's "uploadProgress" not firing in "$.ajax" - Stack Overflow

IT技术

23分钟前

I am new to jQuery and now, I am currently working on file uploads. And I want to add some progress bar

javascript - Prevent body from scrolling (mobile, native browsers) - Stack Overflow

IT技术

23分钟前

On native browser of Samsung Galaxy S5S6, following piece of CSS:body {overflow: hidden;}doesn'

css - Overcome Outlook darkmode color invert - Stack Overflow

IT技术

23分钟前

I know there are many threads regarding this issues but I couldn't find a solution and not sure ho

r - Increase distance between x axis ticks with discrete data and facets - Stack Overflow

IT技术

20分钟前

I have the following dataset:structure(list(x = c(75, 77, 84, 73, 62, 74, 55, 20, 73, 89, 36, 49, 72,

javascript - How to return a Promise with setInterval() - Stack Overflow

IT技术

19分钟前

I am trying to return a Promise object ever 1000ms, but i am not sure how to access the data returned i

plugins - Let users sell video in my website

IT技术

18分钟前

Closed. This question is off-topic. It is not currently accepting answers.Asking to recommend a product (plugin, theme,

flutter - Auto Client Reconnection to JSON RPC 2 Server in Dart - Stack Overflow

IT技术

16分钟前

I have the following flutter client that connects to a Dart Server implemented with JSON RPC 2 protocol

Disabled plugins are security holes - rumor or reality?

IT技术

16分钟前

I've read many WordPress Security blog articles where the Security Experts are recommending some special steps to t

javascript - How to detect an application in the kill app on react native? - Stack Overflow

IT技术

14分钟前

I want to change the state data from the API when the application is killed by the user.I have tried us

javascript - how to detect CTRL+C and CTRL+V key pressing using regular expression? - Stack Overflow

IT技术

13分钟前

I have blocked all aTOz character input for my text field using regular expression in my JavaScript but

Ansible distribute ssh keys from one host group to another host group - Stack Overflow

IT技术

12分钟前

i`m trying to made ansible role that will ( make if not exist, have'nt made yet ) distribute ssh p

javascript - Binding enabled state of button in Ember.js - Stack Overflow

IT技术

12分钟前

I'm just getting my feet wet with Ember.js, and I've hit something that I'm sure I'

Check If Taxonomy A and Taxonomy B has same Slug, 301 Auto Redirect Tax A to Tax B if True in Wordpress

IT技术

10分钟前

Please How do I achieve this?I have WordPress Default Taxonomy - Tag and a custom Taxonomy - Artist.I want to check fo

javascript - Using JQuery to Access a New Window's DOM - Stack Overflow

IT技术

8分钟前

I am creating a new window that will contain text that user will print.I would like to do something si

javascript - Safari window.open() doesn't work - Stack Overflow

IT技术

7分钟前

I need to open external link in a new window. I handle click on edit button in a view:module.exports =

monorepo - [NX]: Deleting config lib files make affected conmmand take every projects as affected - Stack Overflow

IT技术

5分钟前

When deleting the .eslintrc.js file for example inside a library in an Nx workspace, the nx affected co

regex - Javascript function to validate time 00:00 with regular expression - Stack Overflow

IT技术

4分钟前

I am trying to create a javascript function with regular expression to validate and format the time 24

javascript - How to run QUnit tests from command line? - Stack Overflow

IT技术

2分钟前

I recently started working on a Rails app that has a large amount of QUnit tests already in place for t

发表评论

全部评论 0

暂无评论

编程频道|软件玩家 - 软件改变生活！

sql server - VeraCode complains SQL injection when my prepared statement has a dynamic database name - Stack Overflow

1 Answer 1

更多相关文章

hooks - How to read and write session data?

javascript - How to protect a private REST API in an AJAX app - Stack Overflow

javascript - jQuery&#39;s &quot;uploadProgress&quot; not firing in &quot;$.ajax&quot; - Stack Overflow

javascript - Prevent body from scrolling (mobile, native browsers) - Stack Overflow

css - Overcome Outlook darkmode color invert - Stack Overflow

r - Increase distance between x axis ticks with discrete data and facets - Stack Overflow

javascript - How to return a Promise with setInterval() - Stack Overflow

plugins - Let users sell video in my website

flutter - Auto Client Reconnection to JSON RPC 2 Server in Dart - Stack Overflow

Disabled plugins are security holes - rumor or reality?

javascript - How to detect an application in the kill app on react native? - Stack Overflow

javascript - how to detect CTRL+C and CTRL+V key pressing using regular expression? - Stack Overflow

Ansible distribute ssh keys from one host group to another host group - Stack Overflow

javascript - Binding enabled state of button in Ember.js - Stack Overflow

Check If Taxonomy A and Taxonomy B has same Slug, 301 Auto Redirect Tax A to Tax B if True in Wordpress

javascript - Using JQuery to Access a New Window&#39;s DOM - Stack Overflow

javascript - Safari window.open() doesn&#39;t work - Stack Overflow

monorepo - [NX]: Deleting config lib files make affected conmmand take every projects as affected - Stack Overflow

regex - Javascript function to validate time 00:00 with regular expression - Stack Overflow

javascript - How to run QUnit tests from command line? - Stack Overflow

发表评论

推荐文章

block editor - Where are the layout defaults in Twenty Twenty Two coming from?

Can&#39;t create Groups or Folders in Xcode - Stack Overflow

posts - get_adjacent_post by language

algorithm - Javascript: Find out of sequence dates - Stack Overflow

loop - Custom Header added within Dashboard pages, is this possible with custom template files?

热门文章

javascript - unzip error [Error: invalid signature: 0xff000001] - Stack Overflow

html - How to resume JavaScript timer on iOS8 web app after screen unlock? - Stack Overflow

prototypejs - The &#39;this&#39; keyword returns the window object within an object&#39;s prototype in Javascript? -

javascript - ${} template literal (ES2015) conflict with JSP Expression Language syntax - Stack Overflow

javascript - Understanding Suspense and React Hooks - Stack Overflow

javascript - How can I change the background color of a button when clicked? - Stack Overflow

javascript - Location permission on iOS in react-native not working - Stack Overflow

php - save_post trigerred twice

plugins - Can we use a webservice with Wordpress?

javascript - Extending Custom Backbone View - Stack Overflow

最新文章

电脑小白怎么重装系统_电脑小白u盘重装系统详细教程【小白必看】

忘记电脑密码如何修改win7

Windows7 SP1更新升级失败

Windows7BT种子大全

适合win7的python版本_Win7操作系统上安装 Python3.X环境

html - Explain image.src.match in javascript - Stack Overflow

javascript - How to select first letter of each word of a string using regex - Stack Overflow

php - Add specific content after specific text in every post

javascript - Verify PKCS#7 (PEM) signatureunpack data in node.js - Stack Overflow

javascript - bundling of a dependency-of-dependency in commonJS format fails - converted to ESM - Stack Overflow

惠普OMEN 15-CE001TX 2EF91PA参数报价

苹果新款MacBook Pro 15英寸 i732GB1TBVega Pro 20参数报价

联想Y330A-PSE L参数报价

神舟战神Z7 D6 i7-12650H16GB512GBRTX4050旗舰版参数报价

神舟战神Z7 D6 i7-12650H16GB1TBRTX4050参数报价

javascript - jQuery's "uploadProgress" not firing in "$.ajax" - Stack Overflow

javascript - Using JQuery to Access a New Window's DOM - Stack Overflow

javascript - Safari window.open() doesn't work - Stack Overflow

Can't create Groups or Folders in Xcode - Stack Overflow

prototypejs - The 'this' keyword returns the window object within an object's prototype in Javascript? -