DB_Parameter_Tampering @ /OrdersRecord.cs

[apcxtest]

Checkmarx (SAST): DB_Parameter_Tampering
Security Issue: Read More about DB_Parameter_Tampering
Applications: test_App
Checkmarx Project: apcxtest/test-repo-pub2
Repository URL: https://github.com/apcxtest/test-repo-pub2
Branch: main
Scan ID: 5072abd4-8e3e-49e3-b1b5-44426e72387c

---

Method Orders_Show at line 167 of /OrdersRecord.cs gets user input from element Value. This input is used by the application, without being validated, to filter personal records from sensitive database tables. Method Orders_Show submits a query to the database Fill, at line 176 of /OrdersRecord.cs, without any additional filtering by the database. This could allow the user to choose different records based on the id.

Result #1:
Severity: MEDIUM
State: TO_VERIFY
Status: RECURRENT
Attack Vector:

    1. Value: /OrdersRecord.cs[167,61]
    2. ToSQL: /OrdersRecord.cs[167,37]
    3. sWhere: /OrdersRecord.cs[167,3]
    4. sWhere: /OrdersRecord.cs[171,49]
    5. sSQL: /OrdersRecord.cs[171,10]
    6. sSQL: /OrdersRecord.cs[172,53]
    7. OleDbDataAdapter: /OrdersRecord.cs[172,32]
    8. dsCommand: /OrdersRecord.cs[172,20]
    9. dsCommand: /OrdersRecord.cs[176,7]
    10. Fill: /OrdersRecord.cs[176,17]
    Review result in Checkmarx One: DB_Parameter_Tampering

Result #2:
Severity: MEDIUM
State: TO_VERIFY
Status: RECURRENT
Attack Vector:

    1. Value: /OrdersRecord.cs[346,61]
    2. ToSQL: /OrdersRecord.cs[346,37]
    3. sWhere: /OrdersRecord.cs[346,3]
    4. sWhere: /OrdersRecord.cs[349,46]
    5. sSQL: /OrdersRecord.cs[349,9]
    6. sSQL: /OrdersRecord.cs[354,38]
    7. OleDbCommand: /OrdersRecord.cs[354,21]
    8. cmd: /OrdersRecord.cs[354,15]
    9. cmd: /OrdersRecord.cs[356,3]
    10. ExecuteNonQuery: /OrdersRecord.cs[356,7]
    Review result in Checkmarx One: DB_Parameter_Tampering