Эта строка кода < /p>
using (objCmd = new SqlCommand(SPname1, objConn))
< /code>
имеет помещение как инъекция SQL: < /p>
public DataSet GetTableByStoredProc(string strProcName, ArrayList alParams) //copy with using()-DataSet updated for appscan 21022025 01
{
DataSet dataSet = new DataSet();
Hashtable hstOutParameter = new Hashtable();
SqlConnection objConn = new SqlConnection();
SqlCommand objCmd = new SqlCommand();
SqlDataAdapter objDataAdapter = null;
string SPname1 = Sanitizer.GetSafeHtmlFragment(strProcName);
try
{
GetConnection(ref objConn);
using (objCmd = new SqlCommand(SPname1, objConn))
{
objCmd.CommandType = CommandType.StoredProcedure;
objCmd.CommandTimeout = 7200;
if (alParams.Capacity > 0)
{
objCmd.Parameters.AddRange(AddDBParameter(ref alParams).ToArray());
}
// objDataAdapter = new SqlDataAdapter(objCmd);
using (objDataAdapter = new SqlDataAdapter(objCmd))
{
objDataAdapter.Fill(SanitizeDataTable(dataSet));
GetDBParameterValuesSpecific(objCmd, ref alParams);
}
}
return dataSet;
}
catch (Exception ex)
{
throw ex;
}
finally
{
objConn.Dispose();
objCmd.Dispose();
}
}
Подробнее здесь: https://stackoverflow.com/questions/794 ... ool-report
