KB4512011 - FIX: Fix prefast warnings (62100) in Sql\Sqlrepl\xpreplclr.net\ReplCmdDataReader.cs to prevent SQL injection attacks

Symptoms

During the Microsoft Auto Code Review (OACR) check for SQL replication component to validate if there is any code that's vulnerable for SQL injection attacks, you receive an error message that resembles the following:

F:\ds_maindev1\Sql\Sqlrepl\xpreplclr.net\ReplCmdDataReader.cs (1004): OACR warning 62100: The query string passed to 'SqlCommand.CommandText.set(string)' in 'ReplCmdsReader.sp_printstatement(string)' could contain the following variables 'strCmd'. If any of these variables could come from user input, consider using a stored procedure or a parameterized SQL query instead of building the query with string concatenations. (run 'oacr fxcop SQL:amd64chk /target asm_tranrepl.dll' for details)

FUNCTION: Microsoft.SqlServer.Replication.ReplCmdsReader (-1)

Resolution

This issue is fixed in the following cumulative updates for SQL Server:

About cumulative updates for SQL Server:

Each new cumulative update for SQL Server contains all the hotfixes and all the security fixes that were included with the previous cumulative update. Check out the latest cumulative updates for SQL Server:

References

Learn about the terminology that Microsoft uses to describe software updates.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×