Secure Connection Strings from Injection

Why this matters

Allowing user input in connection strings can lead to injection attacks. Always validate and sanitize inputs before constructing connection strings.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

public string ConnectionString { get; set; } = "Server=10.0.0.101;Database=CustomerData";

public SqlConnection ConnectToDatabase(HttpRequest request)
{
    string connectionString = string.Format("{0};User ID={1};Password={2}",
        ConnectionString,
        request.Form["usertitle"],
        request.Form["password"]);

    SqlConnection connection = new SqlConnection();
    connection.ConnectionString = connectionString; // Noncompliant
    connection.Open();
    return connection;
}

Prefer

public string ConnectionString { get; set; } = "Server=10.0.0.101;Database=CustomerData";

public SqlConnection ConnectToDatabase(HttpRequest request)
{
    SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(ConnectionString);
    builder.UserID = request.Form["usertitle"];
    builder.Password = request.Form["password"];

    SqlConnection connection = new SqlConnection();
    connection.ConnectionString = builder.ConnectionString;
    connection.Open();
    return connection;
}

More snippets

Bad

public string ConnectionString { get; set; } = "Server=10.0.0.101;Database=CustomerData";

public SqlConnection ConnectToDatabase(HttpRequest request)
{
    string connectionString = string.Format("{0};User ID={1};Password={2}",
        ConnectionString,
        request.Form["usertitle"],
        request.Form["password"]);

    SqlConnection connection = new SqlConnection();
    connection.ConnectionString = connectionString; // Noncompliant
    connection.Open();
    return connection;
}

Good

public string ConnectionString { get; set; } = "Server=10.0.0.101;Database=CustomerData";

public SqlConnection ConnectToDatabase(HttpRequest request)
{
    SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(ConnectionString);
    builder.UserID = request.Form["usertitle"];
    builder.Password = request.Form["password"];

    SqlConnection connection = new SqlConnection();
    connection.ConnectionString = builder.ConnectionString;
    connection.Open();
    return connection;
}

Related rules

From the same buckets as this rule.

Critical

Always sanitize user inputs

Check if user inputs are sanitized before being used in rendering or database queries. Unsanitized inputs can lead to injection vulnerabilities like XSS or SQL injection.

security-hardening

Critical

Always Verify Server Certificates in SSL/TLS Connections

Ensure that SSL/TLS certificate validation is always enabled to prevent Man-in-the-Middle (MitM) attacks.

security-hardening

Critical

Avoid modifying built-in prototypes

Detect modifications to built-in prototypes. Modifying built-in objects can lead to compatibility issues and unexpected behavior. Recommend creating helper functions instead.

maintainabilitysecurity-hardening

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

public string ConnectionString { get; set; } = "Server=10.0.0.101;Database=CustomerData";

public SqlConnection ConnectToDatabase(HttpRequest request)
{
    string connectionString = string.Format("{0};User ID={1};Password={2}",
        ConnectionString,
        request.Form["usertitle"],
        request.Form["password"]);

    SqlConnection connection = new SqlConnection();
    connection.ConnectionString = connectionString; // Noncompliant
    connection.Open();
    return connection;
}

Prefer

public string ConnectionString { get; set; } = "Server=10.0.0.101;Database=CustomerData";

public SqlConnection ConnectToDatabase(HttpRequest request)
{
    SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(ConnectionString);
    builder.UserID = request.Form["usertitle"];
    builder.Password = request.Form["password"];

    SqlConnection connection = new SqlConnection();
    connection.ConnectionString = builder.ConnectionString;
    connection.Open();
    return connection;
}

More snippets

Bad

public string ConnectionString { get; set; } = "Server=10.0.0.101;Database=CustomerData";

public SqlConnection ConnectToDatabase(HttpRequest request)
{
    string connectionString = string.Format("{0};User ID={1};Password={2}",
        ConnectionString,
        request.Form["usertitle"],
        request.Form["password"]);

    SqlConnection connection = new SqlConnection();
    connection.ConnectionString = connectionString; // Noncompliant
    connection.Open();
    return connection;
}

Good

public string ConnectionString { get; set; } = "Server=10.0.0.101;Database=CustomerData";

public SqlConnection ConnectToDatabase(HttpRequest request)
{
    SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(ConnectionString);
    builder.UserID = request.Form["usertitle"];
    builder.Password = request.Form["password"];

    SqlConnection connection = new SqlConnection();
    connection.ConnectionString = builder.ConnectionString;
    connection.Open();
    return connection;
}

Related rules

From the same buckets as this rule.

Critical

Always sanitize user inputs

Check if user inputs are sanitized before being used in rendering or database queries. Unsanitized inputs can lead to injection vulnerabilities like XSS or SQL injection.

security-hardening

Critical

Always Verify Server Certificates in SSL/TLS Connections

Ensure that SSL/TLS certificate validation is always enabled to prevent Man-in-the-Middle (MitM) attacks.

security-hardening

Critical

Avoid modifying built-in prototypes

Detect modifications to built-in prototypes. Modifying built-in objects can lead to compatibility issues and unexpected behavior. Recommend creating helper functions instead.

maintainabilitysecurity-hardening