paresh gugale

paresh gugale

  • 2k
  • 43
  • 40.9k

Access Control : Database

Jul 1 2015 7:44 AM
In website i can access some data from database. That data is also uploaded.
But at time of security audit  it gives problem as belowed
 
Upload.aspx.cs, line 35 (Access Control: Database)
Fortify Priority: High
Folder High
Kingdom: Security Features
Abstract: Without proper access control, the method Button1_Click() in Upload.aspx.cs can execute a SQL statement on line 35 that contains an attacker-controlled primary key, thereby allowing the attacker to access unauthorized records.
Source: Upload.aspx.cs:28 System.Web.UI.WebControls.TextBox.get_Text() 26 protected void Button1_Click(object sender, EventArgs e)
27 {
28 string des = ReplaceNewLines(TextBox1.Text, true);
29
30 using (SqlConnection con = new SqlConnection(constr))
Sink: Upload.aspx.cs:35 System.Data.SqlClient.SqlParameterCollection.AddWithValue()
33 {
34 cmd.CommandText = "update messages set msg=@msg where mperson=@mperson";
35 cmd.Parameters.AddWithValue("@msg", des);
36 cmd.Parameters.AddWithValue("@mperson", DropDownList1.SelectedValue.ToString());
37 cmd.Connection = con;.