--- title: Prevent SQL queries built from strings description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST Rules > Prevent SQL queries built from strings --- # Prevent SQL queries built from strings {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **ID:** `csharp-security/sql-injection` **Language:** C# **Severity:** Error **Category:** Security **CWE**: [89](https://cwe.mitre.org/data/definitions/89.html) ## Description{% #description %} Never build SQL queries manually. Always have the query built with parameters and then pass the parameters to the prepared statement. #### Learn More{% #learn-more %} - [CWE-89: Improper Neutralization of Special Elements used in an SQL](https://cwe.mitre.org/data/definitions/89.html) ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```csharp using System.Xml; class MyClass { public static void doQuery(Int32 userId) { using (SqlConnection connection = new SqlConnection(connectionString)) { var sql = $"SELECT Id, Username, Email, IsAdmin FROM Users WHERE Username LIKE '%{name}%'"; } } } ``` ```csharp using System.Xml; class MyClass { public static void doQuery(Int32 userId) { using (SqlConnection connection = new SqlConnection(connectionString)) { SqlCommand command = new SqlCommand("SELECT attr FROM table WHERE id=" + userID, connection); } } } ``` ```csharp using System.Xml; class MyClass { public static void goQuery(Int32 userID) { String query1 = "SELECT attr FROM table WHERE id=" + userID; } } ``` ```csharp class MyClass { public static void doQuery(string role) { var sql = $"SELECT * FROM Users WHERE role = {(role == "admin" ? "admin" : role)}"; } } ``` ```csharp class MyClass { public static void doQuery(string firstName, string lastName) { var sql = $"SELECT * FROM Users WHERE name = '{firstName + " " + lastName}'"; } } ``` ```csharp class MyClass { public static void doQuery(string name) { var sql = $"SELECT * FROM Users WHERE name = '{name ?? "default"}'"; } } ``` ## Compliant Code Examples{% #compliant-code-examples %} ```csharp using System.Xml; class MyClass { public static void doQuery(Int32 userID) { using (SqlConnection connection = new SqlConnection(connectionString)) { SqlCommand command = new SqlCommand("SELECT attr FROM table WHERE id=@ID", connection); command.Parameters.Add("@ID", SqlDbType.Int); command.Parameters["@ID"].Value = userID; } } } ``` ```csharp using System.Data.SqlClient; class MyClass { public static void doQuery(int recordMoveID) { using (SqlConnection connection = new SqlConnection(connectionString)) { var SQL = $@" SELECT * FROM ApplicationControls WHERE EntityTypeID = {(int)EntityType.Project} AND RecordMoveID = @RecordMoveID"; } } } ``` Seamless integrations. Try Datadog Code SecurityDatadog Code Security {% icon name="icon-external-link" /%}