FIX: Fix prefast warnings (62100) in Sql\Sqlrepl\xpreplclr.net\ReplCmdDataReader.cs to prevent SQL injection attacks

Applies to: SQL Server 2014 Service Pack 2SQL Server 2014 DeveloperSQL Server 2014 Enterprise

Symptoms


During the Microsoft Auto Code Review (OACR) check for SQL replication component to validate if there is any code that's vulnerable for SQL injection attacks, you receive an error message that resembles the following:
F:\ds_maindev1\Sql\Sqlrepl\xpreplclr.net\ReplCmdDataReader.cs (1004): OACR warning 62100: The query string passed to 'SqlCommand.CommandText.set(string)' in 'ReplCmdsReader.sp_printstatement(string)' could contain the following variables 'strCmd'. If any of these variables could come from user input, consider using a stored procedure or a parameterized SQL query instead of building the query with string concatenations. (run 'oacr fxcop SQL:amd64chk /target asm_tranrepl.dll' for details)
FUNCTION: Microsoft.SqlServer.Replication.ReplCmdsReader (-1)

Resolution


This issue is fixed in the following cumulative updates for SQL Server:

About cumulative updates for SQL Server:

Each new cumulative update for SQL Server contains all the hotfixes and all the security fixes that were included with the previous cumulative update. Check out the latest cumulative updates for SQL Server:

References


Learn about the terminology that Microsoft uses to describe software updates.