C#: Convert SQL injection test to use inline expectations.

michaelnebel · michaelnebel · commit bb85e241214c · 2025-06-25T14:53:09.000+02:00
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.cs b/csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.cs
@@ -17,20 +17,20 @@ public void ProcessRequest()
             {
                 connection.Open();
                 SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection);
-                SqlDataReader customerReader = customerCommand.ExecuteReader();
+                SqlDataReader customerReader = customerCommand.ExecuteReader(); // $ Source[cs/sql-injection]
 
                 while (customerReader.Read())
                 {
                     // BAD: Read from database, write it straight to another query
-                    SqlCommand secondCustomerCommand = new SqlCommand("SELECT * FROM customers WHERE customerName=" + customerReader.GetString(1), connection);
+                    SqlCommand secondCustomerCommand = new SqlCommand("SELECT * FROM customers WHERE customerName=" + customerReader.GetString(1), connection); // $ Alert[cs/sql-injection]
                 }
                 customerReader.Close();
             }
         }
 
         public void RunSQLFromFile()
         {
-            using (FileStream fs = new FileStream("myfile.txt", FileMode.Open))
+            using (FileStream fs = new FileStream("myfile.txt", FileMode.Open)) // $ Source[cs/sql-injection]
             {
                 using (StreamReader sr = new StreamReader(fs, Encoding.UTF8))
                 {
@@ -42,7 +42,7 @@ public void RunSQLFromFile()
                             continue;
                         using (var connection = new SQLiteConnection(""))
                         {
-                            var cmd = new SQLiteCommand(sql, connection);
+                            var cmd = new SQLiteCommand(sql, connection); // $ Alert[cs/sql-injection]
                             cmd.ExecuteScalar();
                         }
                     }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.cs b/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.cs
@@ -35,8 +35,8 @@ public void GetDataSetByCategory()
             using (var connection = new SqlConnection(connectionString))
             {
                 var query1 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
-                  + categoryTextBox.Text + "' ORDER BY PRICE";
-                var adapter = new SqlDataAdapter(query1, connection);
+                  + categoryTextBox.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
+                var adapter = new SqlDataAdapter(query1, connection); // $ Alert[cs/sql-injection]
                 var result = new DataSet();
                 adapter.Fill(result);
             }
@@ -70,9 +70,9 @@ public void GetDataSetByCategory()
                 {
                     // BAD: Use EntityFramework direct Sql execution methods
                     var query1 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
-                              + categoryTextBox.Text + "' ORDER BY PRICE";
-                    context.Database.ExecuteSqlCommand(query1);
-                    context.Database.SqlQuery<string>(query1);
+                              + categoryTextBox.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
+                    context.Database.ExecuteSqlCommand(query1); // $ Alert[cs/sql-injection]
+                    context.Database.SqlQuery<string>(query1); // $ Alert[cs/sql-injection]
                     // GOOD: Use EntityFramework direct Sql execution methods with parameter
                     var query2 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY="
                             + "@p0 ORDER BY PRICE";
@@ -84,8 +84,8 @@ public void GetDataSetByCategory()
             using (var connection = new SqlConnection(connectionString))
             {
                 var query1 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
-                  + box1.Text + "' ORDER BY PRICE";
-                var adapter = new SqlDataAdapter(query1, connection);
+                  + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
+                var adapter = new SqlDataAdapter(query1, connection); // $ Alert[cs/sql-injection]
                 var result = new DataSet();
                 adapter.Fill(result);
             }
@@ -94,9 +94,9 @@ public void GetDataSetByCategory()
             using (var connection = new SqlConnection(connectionString))
             {
                 var queryString = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
-                  + box1.Text + "' ORDER BY PRICE";
-                var cmd = new SqlCommand(queryString);
-                var adapter = new SqlDataAdapter(cmd);
+                  + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
+                var cmd = new SqlCommand(queryString); // $ Alert[cs/sql-injection]
+                var adapter = new SqlDataAdapter(cmd); // $ Alert[cs/sql-injection]
                 var result = new DataSet();
                 adapter.Fill(result);
             }
@@ -105,9 +105,9 @@ public void GetDataSetByCategory()
             using (var connection = new SqlConnection(connectionString))
             {
                 var queryString = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
-                  + Console.ReadLine()! + "' ORDER BY PRICE";
-                var cmd = new SqlCommand(queryString);
-                var adapter = new SqlDataAdapter(cmd);
+                  + Console.ReadLine()! + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
+                var cmd = new SqlCommand(queryString); // $ Alert[cs/sql-injection]
+                var adapter = new SqlDataAdapter(cmd); // $ Alert[cs/sql-injection]
                 var result = new DataSet();
                 adapter.Fill(result);
             }
@@ -119,14 +119,14 @@ public void GetDataSetByCategory()
     public abstract class MyController : Controller
     {
         [HttpPost("{userId:string}")]
-        public async Task<IActionResult> GetUserById([FromRoute] string userId, CancellationToken cancellationToken)
+        public async Task<IActionResult> GetUserById([FromRoute] string userId, CancellationToken cancellationToken) // $ Source[cs/sql-injection]
         {
             // This is a vulnerable method due to SQL injection
             string query = "SELECT * FROM Users WHERE UserId = '" + userId + "'";
 
             using (SqlConnection connection = new SqlConnection("YourConnectionString"))
             {
-                SqlCommand command = new SqlCommand(query, connection);
+                SqlCommand command = new SqlCommand(query, connection); // $ Alert[cs/sql-injection]
                 connection.Open();
 
                 SqlDataReader reader = command.ExecuteReader();
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.qlref b/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.qlref
@@ -1,2 +1,4 @@
 query: Security Features/CWE-089/SqlInjection.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjectionDapper.cs b/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjectionDapper.cs
@@ -17,64 +17,64 @@ public void Bad01()
         {
             using (var connection = new SqlConnection(connectionString))
             {
-                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
-                var result = connection.Query<object>(query);
+                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
+                var result = connection.Query<object>(query); // $ Alert[cs/sql-injection]
             }
         }
 
         public async Task Bad02()
         {
             using (var connection = new SqlConnection(connectionString))
             {
-                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
-                var result = await connection.QueryAsync<object>(query);
+                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
+                var result = await connection.QueryAsync<object>(query); // $ Alert[cs/sql-injection]
             }
         }
 
         public async Task Bad03()
         {
             using (var connection = new SqlConnection(connectionString))
             {
-                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
-                var result = await connection.QueryFirstAsync(query);
+                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
+                var result = await connection.QueryFirstAsync(query); // $ Alert[cs/sql-injection]
             }
         }
 
         public async Task Bad04()
         {
             using (var connection = new SqlConnection(connectionString))
             {
-                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
+                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
 
-                await connection.ExecuteAsync(query);
+                await connection.ExecuteAsync(query); // $ Alert[cs/sql-injection]
             }
         }
 
         public void Bad05()
         {
             using (var connection = new SqlConnection(connectionString))
             {
-                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
-                connection.ExecuteScalar(query);
+                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
+                connection.ExecuteScalar(query); // $ Alert[cs/sql-injection]
             }
         }
 
         public void Bad06()
         {
             using (var connection = new SqlConnection(connectionString))
             {
-                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
-                connection.ExecuteReader(query);
+                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
+                connection.ExecuteReader(query); // $ Alert[cs/sql-injection]
             }
         }
 
         public async Task Bad07()
         {
             using (var connection = new SqlConnection(connectionString))
             {
-                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
+                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
 
-                var comDef = new CommandDefinition(query);
+                var comDef = new CommandDefinition(query); // $ Alert[cs/sql-injection]
                 var result = await connection.QueryFirstAsync(comDef);
             }
         }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjectionSqlite.cs b/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjectionSqlite.cs
@@ -16,12 +16,12 @@ class SqlInjection
         public void InjectUntrustedData()
         {
             // BAD: untrusted data is not sanitized.
-            SQLiteCommand cmd = new SQLiteCommand(untrustedData.Text);
+            SQLiteCommand cmd = new SQLiteCommand(untrustedData.Text); // $ Alert[cs/sql-injection]
 
             // BAD: untrusted data is not sanitized.
             using (var connection = new SQLiteConnection(connectionString))
             {
-                cmd = new SQLiteCommand(untrustedData.Text, connection);
+                cmd = new SQLiteCommand(untrustedData.Text, connection); // $ Source[cs/sql-injection] Alert[cs/sql-injection]
             }
 
             SQLiteDataAdapter adapter;
@@ -30,23 +30,23 @@ public void InjectUntrustedData()
             // BAD: untrusted data is not sanitized.
             using (var connection = new SQLiteConnection(connectionString))
             {
-                adapter = new SQLiteDataAdapter(untrustedData.Text, connection);
+                adapter = new SQLiteDataAdapter(untrustedData.Text, connection); // $ Alert[cs/sql-injection]
                 result = new DataSet();
                 adapter.Fill(result);
             }
 
             // BAD: untrusted data is not sanitized.
-            adapter = new SQLiteDataAdapter(untrustedData.Text, connectionString);
+            adapter = new SQLiteDataAdapter(untrustedData.Text, connectionString); // $ Alert[cs/sql-injection]
             result = new DataSet();
             adapter.Fill(result);
 
             // BAD: untrusted data is not sanitized.
-            adapter = new SQLiteDataAdapter(cmd);
+            adapter = new SQLiteDataAdapter(cmd); // $ Alert[cs/sql-injection]
             result = new DataSet();
             adapter.Fill(result);
 
             // BAD: untrusted data as filename is not sanitized.
-            using (FileStream fs = new FileStream(untrustedData.Text, FileMode.Open))
+            using (FileStream fs = new FileStream(untrustedData.Text, FileMode.Open)) // $ Source[cs/sql-injection]
             {
                 using (StreamReader sr = new StreamReader(fs, Encoding.UTF8))
                 {
@@ -58,12 +58,12 @@ public void InjectUntrustedData()
                             continue;
                         using (var connection = new SQLiteConnection(""))
                         {
-                            cmd = new SQLiteCommand(sql, connection);
+                            cmd = new SQLiteCommand(sql, connection); // $ Alert[cs/sql-injection]
                             cmd.ExecuteScalar();
                         }
                     }
                 }
             }
         }
     }
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -17,20 +17,20 @@ public void ProcessRequest()`
`17`	`17`	`{`
`18`	`18`	`connection.Open();`
`19`	`19`	`SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection);`
`20`		`- SqlDataReader customerReader = customerCommand.ExecuteReader();`
	`20`	`+ SqlDataReader customerReader = customerCommand.ExecuteReader(); // $ Source[cs/sql-injection]`
`21`	`21`
`22`	`22`	`while (customerReader.Read())`
`23`	`23`	`{`
`24`	`24`	`// BAD: Read from database, write it straight to another query`
`25`		`- SqlCommand secondCustomerCommand = new SqlCommand("SELECT * FROM customers WHERE customerName=" + customerReader.GetString(1), connection);`
	`25`	`+ SqlCommand secondCustomerCommand = new SqlCommand("SELECT * FROM customers WHERE customerName=" + customerReader.GetString(1), connection); // $ Alert[cs/sql-injection]`
`26`	`26`	`}`
`27`	`27`	`customerReader.Close();`
`28`	`28`	`}`
`29`	`29`	`}`
`30`	`30`
`31`	`31`	`public void RunSQLFromFile()`
`32`	`32`	`{`
`33`		`- using (FileStream fs = new FileStream("myfile.txt", FileMode.Open))`
	`33`	`+ using (FileStream fs = new FileStream("myfile.txt", FileMode.Open)) // $ Source[cs/sql-injection]`
`34`	`34`	`{`
`35`	`35`	`using (StreamReader sr = new StreamReader(fs, Encoding.UTF8))`
`36`	`36`	`{`
`@@ -42,7 +42,7 @@ public void RunSQLFromFile()`
`42`	`42`	`continue;`
`43`	`43`	`using (var connection = new SQLiteConnection(""))`
`44`	`44`	`{`
`45`		`- var cmd = new SQLiteCommand(sql, connection);`
	`45`	`+ var cmd = new SQLiteCommand(sql, connection); // $ Alert[cs/sql-injection]`
`46`	`46`	`cmd.ExecuteScalar();`
`47`	`47`	`}`
`48`	`48`	`}`
Original file line number	Diff line number	Diff line change
`@@ -17,64 +17,64 @@ public void Bad01()`
`17`	`17`	`{`
`18`	`18`	`using (var connection = new SqlConnection(connectionString))`
`19`	`19`	`{`
`20`		`- var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";`
`21`		`- var result = connection.Query<object>(query);`
	`20`	`+ var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]`
	`21`	`+ var result = connection.Query<object>(query); // $ Alert[cs/sql-injection]`
`22`	`22`	`}`
`23`	`23`	`}`
`24`	`24`
`25`	`25`	`public async Task Bad02()`
`26`	`26`	`{`
`27`	`27`	`using (var connection = new SqlConnection(connectionString))`
`28`	`28`	`{`
`29`		`- var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";`
`30`		`- var result = await connection.QueryAsync<object>(query);`
	`29`	`+ var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]`
	`30`	`+ var result = await connection.QueryAsync<object>(query); // $ Alert[cs/sql-injection]`
`31`	`31`	`}`
`32`	`32`	`}`
`33`	`33`
`34`	`34`	`public async Task Bad03()`
`35`	`35`	`{`
`36`	`36`	`using (var connection = new SqlConnection(connectionString))`
`37`	`37`	`{`
`38`		`- var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";`
`39`		`- var result = await connection.QueryFirstAsync(query);`
	`38`	`+ var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]`
	`39`	`+ var result = await connection.QueryFirstAsync(query); // $ Alert[cs/sql-injection]`
`40`	`40`	`}`
`41`	`41`	`}`
`42`	`42`
`43`	`43`	`public async Task Bad04()`
`44`	`44`	`{`
`45`	`45`	`using (var connection = new SqlConnection(connectionString))`
`46`	`46`	`{`
`47`		`- var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";`
	`47`	`+ var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]`
`48`	`48`
`49`		`- await connection.ExecuteAsync(query);`
	`49`	`+ await connection.ExecuteAsync(query); // $ Alert[cs/sql-injection]`
`50`	`50`	`}`
`51`	`51`	`}`
`52`	`52`
`53`	`53`	`public void Bad05()`
`54`	`54`	`{`
`55`	`55`	`using (var connection = new SqlConnection(connectionString))`
`56`	`56`	`{`
`57`		`- var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";`
`58`		`- connection.ExecuteScalar(query);`
	`57`	`+ var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]`
	`58`	`+ connection.ExecuteScalar(query); // $ Alert[cs/sql-injection]`
`59`	`59`	`}`
`60`	`60`	`}`
`61`	`61`
`62`	`62`	`public void Bad06()`
`63`	`63`	`{`
`64`	`64`	`using (var connection = new SqlConnection(connectionString))`
`65`	`65`	`{`
`66`		`- var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";`
`67`		`- connection.ExecuteReader(query);`
	`66`	`+ var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]`
	`67`	`+ connection.ExecuteReader(query); // $ Alert[cs/sql-injection]`
`68`	`68`	`}`
`69`	`69`	`}`
`70`	`70`
`71`	`71`	`public async Task Bad07()`
`72`	`72`	`{`
`73`	`73`	`using (var connection = new SqlConnection(connectionString))`
`74`	`74`	`{`
`75`		`- var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";`
	`75`	`+ var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]`
`76`	`76`
`77`		`- var comDef = new CommandDefinition(query);`
	`77`	`+ var comDef = new CommandDefinition(query); // $ Alert[cs/sql-injection]`
`78`	`78`	`var result = await connection.QueryFirstAsync(comDef);`
`79`	`79`	`}`
`80`	`80`	`}`
Original file line number	Diff line number	Diff line change
`@@ -16,12 +16,12 @@ class SqlInjection`
`16`	`16`	`public void InjectUntrustedData()`
`17`	`17`	`{`
`18`	`18`	`// BAD: untrusted data is not sanitized.`
`19`		`- SQLiteCommand cmd = new SQLiteCommand(untrustedData.Text);`
	`19`	`+ SQLiteCommand cmd = new SQLiteCommand(untrustedData.Text); // $ Alert[cs/sql-injection]`
`20`	`20`
`21`	`21`	`// BAD: untrusted data is not sanitized.`
`22`	`22`	`using (var connection = new SQLiteConnection(connectionString))`
`23`	`23`	`{`
`24`		`- cmd = new SQLiteCommand(untrustedData.Text, connection);`
	`24`	`+ cmd = new SQLiteCommand(untrustedData.Text, connection); // $ Source[cs/sql-injection] Alert[cs/sql-injection]`
`25`	`25`	`}`
`26`	`26`
`27`	`27`	`SQLiteDataAdapter adapter;`
`@@ -30,23 +30,23 @@ public void InjectUntrustedData()`
`30`	`30`	`// BAD: untrusted data is not sanitized.`
`31`	`31`	`using (var connection = new SQLiteConnection(connectionString))`
`32`	`32`	`{`
`33`		`- adapter = new SQLiteDataAdapter(untrustedData.Text, connection);`
	`33`	`+ adapter = new SQLiteDataAdapter(untrustedData.Text, connection); // $ Alert[cs/sql-injection]`
`34`	`34`	`result = new DataSet();`
`35`	`35`	`adapter.Fill(result);`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`// BAD: untrusted data is not sanitized.`
`39`		`- adapter = new SQLiteDataAdapter(untrustedData.Text, connectionString);`
	`39`	`+ adapter = new SQLiteDataAdapter(untrustedData.Text, connectionString); // $ Alert[cs/sql-injection]`
`40`	`40`	`result = new DataSet();`
`41`	`41`	`adapter.Fill(result);`
`42`	`42`
`43`	`43`	`// BAD: untrusted data is not sanitized.`
`44`		`- adapter = new SQLiteDataAdapter(cmd);`
	`44`	`+ adapter = new SQLiteDataAdapter(cmd); // $ Alert[cs/sql-injection]`
`45`	`45`	`result = new DataSet();`
`46`	`46`	`adapter.Fill(result);`
`47`	`47`
`48`	`48`	`// BAD: untrusted data as filename is not sanitized.`
`49`		`- using (FileStream fs = new FileStream(untrustedData.Text, FileMode.Open))`
	`49`	`+ using (FileStream fs = new FileStream(untrustedData.Text, FileMode.Open)) // $ Source[cs/sql-injection]`
`50`	`50`	`{`
`51`	`51`	`using (StreamReader sr = new StreamReader(fs, Encoding.UTF8))`
`52`	`52`	`{`
`@@ -58,12 +58,12 @@ public void InjectUntrustedData()`
`58`	`58`	`continue;`
`59`	`59`	`using (var connection = new SQLiteConnection(""))`
`60`	`60`	`{`
`61`		`- cmd = new SQLiteCommand(sql, connection);`
	`61`	`+ cmd = new SQLiteCommand(sql, connection); // $ Alert[cs/sql-injection]`
`62`	`62`	`cmd.ExecuteScalar();`
`63`	`63`	`}`
`64`	`64`	`}`
`65`	`65`	`}`
`66`	`66`	`}`
`67`	`67`	`}`
`68`	`68`	`}`
`69`		`-}`
	`69`	`+}`