C#: Add SQLCommand examples.

michaelnebel · michaelnebel · commit d42752714ceb · 2022-08-10T11:08:21.000+02:00
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjectionSqlite.cs b/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjectionSqlite.cs
@@ -0,0 +1,27 @@
+using System;
+
+namespace TestSqlite
+{
+
+    using System.Data.SQLite;
+    using System.Web.UI.WebControls;
+
+    class SqlInjection
+    {
+        private string connectionString;
+        public TextBox untrustedData;
+
+        public void InjectUntrustedData()
+        {
+            // BAD: untrusted data is not sanitized.
+            SQLiteCommand cmd = new SQLiteCommand(untrustedData.Text);
+
+            // BAD: untrusted data is not sanitized.
+            using (var connection = new SQLiteConnection(connectionString))
+            {
+                cmd = new SQLiteCommand(untrustedData.Text, connection);
+            }
+
+        }
+    }
+}
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089/options b/csharp/ql/test/query-tests/Security Features/CWE-089/options
@@ -1,5 +1,6 @@
 semmle-extractor-options: /nostdlib /noconfig
 semmle-extractor-options: --load-sources-from-project:../../../resources/stubs/Dapper/2.0.90/Dapper.csproj
 semmle-extractor-options: --load-sources-from-project:../../../resources/stubs/System.Data.SqlClient/4.8.3/System.Data.SqlClient.csproj
+semmle-extractor-options: --load-sources-from-project:../../../resources/stubs/System.Data.SQLite/1.0.116/System.Data.SQLite.csproj
 semmle-extractor-options: ${testdir}/../../../resources/stubs/EntityFramework.cs
 semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Windows.cs
