-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathStoredXPathInjection.cs
More file actions
39 lines (32 loc) · 1.46 KB
/
StoredXPathInjection.cs
File metadata and controls
39 lines (32 loc) · 1.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
using System;
using System.Data.SqlClient;
using System.Xml;
using System.Xml.XPath;
namespace Test
{
class StoredXPathInjection
{
public void processRequest()
{
using (SqlConnection connection = new SqlConnection(""))
{
connection.Open();
SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection);
SqlDataReader customerReader = customerCommand.ExecuteReader();
while (customerReader.Read())
{
string userName = customerReader.GetString(1);
string password = customerReader.GetString(2);
// BAD: User input used directly in an XPath expression
XPathExpression.Compile("//users/user[login/text()='" + userName + "' and password/text() = '" + password + "']/home_dir/text()");
XmlNode xmlNode = null;
// BAD: User input used directly in an XPath expression to SelectNodes
xmlNode.SelectNodes("//users/user[login/text()='" + userName + "' and password/text() = '" + password + "']/home_dir/text()");
// GOOD: Uses parameters to avoid including user input directly in XPath expression
XPathExpression.Compile("//users/user[login/text()=$username]/home_dir/text()");
}
customerReader.Close();
}
}
}
}