HI,
I have a common page (sqlhelper.cs) where i am preparing command and executing execnonquery,... But veracode addressed sql injection flaw 89 in the following code saying issue with parameters. How can skip this verification?. any extra validations i need to put in the following code? Please help.

private static void PrepareCommand(SqlCommand command, SqlConnection connection, SqlTransaction transaction, CommandType commandType, string commandText, SqlParameter[] commandParameters, out bool mustCloseConnection)
        {
            if (command == null) throw new ArgumentNullException("command");
            if (commandText == null || commandText.Length == 0) throw new ArgumentNullException("commandText");

            // If the provided connection is not open, we will open it
            if (connection.State != ConnectionState.Open)
            {
                mustCloseConnection = true;
                try
                {
                    connection.Open();
                }
                catch (Exception e)
                {
                    string msg = "Database connection Error! Maybe your Database is not runing or database connection string is mistake?";
                    throw new Exception(msg, e);
                }
            }
            else
            {
                mustCloseConnection = false;
            }

            // Associate the connection with the command
            command.Connection = connection;

            // Set the command text (stored procedure name or SQL statement)
            command.CommandText = commandText;

            // If we were provided a transaction, assign it
            if (transaction != null)
            {
                if (transaction.Connection == null) throw new ArgumentException("The transaction was rollbacked or commited, please provide an open transaction.", "transaction");
                command.Transaction = transaction;
            }

            // Set the command type
            command.CommandType = commandType;

            // Attach the command parameters if they are provided
            if (commandParameters != null)
            {
                if (command == null) throw new ArgumentNullException("command");
            if (commandParameters != null)
            {
                foreach (SqlParameter p in commandParameters)
                {
                    if (p != null)
                    {
                        // Check for derived output value with no value assigned
                        if ((p.Direction == ParameterDirection.InputOutput ||
                            p.Direction == ParameterDirection.Input) &&
                            (p.Value == null))
                        {
                            p.Value = DBNull.Value;
                        }
                        command.Parameters.Add(p);
                    }
                }
            }
            }
            return;
        }

Thanks,
KVK.

As stated on SO, we need a more precise desciption of what that veracode message means. Isn't there any documentation about it?

It's complaining because you allow the sql statement to be sent to the method without verifying that it doesn't have special characters. From the documentation

The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

Found here

Above code is a common code. How can i check for special characters. Can you please modify the above code accordingly.

Thanks,
KVK.

This article has been dead for over six months. Start a new discussion instead.