This project is read-only.

SQLInjection issue with DLINQ

Jun 10, 2010 at 11:47 AM
Edited Jun 22, 2010 at 10:51 AM


I have used dlinq in my current module and when we run fortify against this project we got Some security issue like SQLInjection. That is becuase the solution which comes with dlinq, they are using direct query for database manupulation (Insert/Delete/Update). Can it be modified to pass/retrieve proper parameter to each object in the schema?

 Following are the files and line number where we are getting SQL injection /XML injection,

  • DataTool.cs [LineNo : 41]
  • OracleContext.cs [LineNo : 567]
  • OracleQuerySession.cs [LineNo : 110 and 234]
  • XMLNodeConvertor.cs [LineNo : 342 and 352]

 Could anyone give me some advice with that.

Thanks in advance..

Jul 2, 2010 at 3:51 PM


you're right, DLInq library have security issues. I will try resolve that quickly before I post my new version.

In fac, DataTool is not important because it is a generator only.