70-340 Implementing Security for Applications with Microsoft Visual C# .NET Practice Test

Demo Question 3.

You are an application developer for EliteCertify.com. You are conducting a code review of an application that updates a Microsoft SQL Server database named Payroll. This database is used by other applications. The application contains the following code segment. public void calculateAndStore(SqlConnection conn, string ID, string bonus, string salary) { salary=Convert.ToString (Convert. ToDecimal (salary) *1.05m) ; bonus=Convert.TOString (Convert. ToDecimal (salary) *0.05m) ; if (ID. Length==0) Throw new ApplicationException ("Error - Empty ID" ) ; string newID= "ID. " + ID ; string strUpdate = "UPDATE Payroll SET EmployeeID = '" + newID + "', Bonus = '" + bonus + "', Salary = '" + salary + "' " + "WHERE Employee ID=' " + ID + " '" ; SqlCommand cmd=new SqlCommand(StrUpdate, conn) ; cmd. Connection .Open ( ) ; cmd. Execute Non Query ( ) ; } The values in the string variables named ID, Bonus, and Salary are contained in the Payroll database. The purpose of the code segment is to calculate new values for ID, Bonus, and Salary, and to update those values in the Payroll database. You need to improve the security of this application. What should you do?

A. Validate that the Salary value is within the range for the data type in the SQL Server database.
B. Validate the contents of the ID value before updating it in the SQL Server database.
C. Validate the length of the ID value before updating it in the SQL Server database.
D. Enclose the body of the function within a try-catch block.


Display Answer

Answer: D

Explanation: There are several things worrisome about this question. Since all input must be considered evil until otherwise proven, even input from and passed by applications, there must be a validation step used at every opportunity. This will increase the code segment and the application will take a perceived performance hit. However, this is still better than taking the chance that the data being used or passed has not been manipulated. Parameterized stored procedures or parameterized SQL statements should be used instead of dynamic SQL. Since the information is being pulled from the database, we have to assume that earlier processes in the application have handled the scrubbing and validation of the data during the original data entry or it should not be there. However, a less than trustworthy database administrator could still manipulate the data anytime and the database could have been compromised by some other means.