1
Answer

Change this code to not construct SQL queries directly from user data

Arul Jesuraj

Arul Jesuraj

1y
2.4k
1

Hi,

I have a use case where dynamic sql query is cinstructed from a user input to the controller action method.

Even the TableName and ColumnName are inputs to the action. Query is constructed as below.

sqlQuery.Append("SELECT * From public."\"" + tableName + "\" WHERE \"" + attributeName + "\" = @attributeValue);

No issue with implementation. But, SONARQUBE raises critical below error.

Change this code to not construct SQL queries directly from user-controlled data

Please suggest how I can solve it. All the compliant solutions are not solving the issue.

Answers (1)