From 692dfe187b7241d58cf4f96b3e7f24bb16c36df3 Mon Sep 17 00:00:00 2001
From: IGFCoimbra <36641997+IGFCoimbra@users.noreply.github.com>
Date: Wed, 29 Sep 2021 17:56:42 +0100
Subject: [PATCH] Create INjectionTest.cs

---
 INjectionTest.cs | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 INjectionTest.cs

diff --git a/INjectionTest.cs b/INjectionTest.cs
new file mode 100644
index 0000000..f715f93
--- /dev/null
+++ b/INjectionTest.cs
@@ -0,0 +1,32 @@
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.EntityFrameworkCore;
+using WebApplication1.Controllers;
+
+namespace WebApplicationDotNetCore.Controllers
+{
+    public class RSPEC3649SQLiNoncompliant : Controller
+    {
+        private readonly UserAccountContext _context;
+
+        public RSPEC3649SQLiNoncompliant(UserAccountContext context)
+        {
+            _context = context;
+        }
+
+        public IActionResult Authenticate(string user)
+        {
+            string query = "SELECT * FROM Users WHERE Username = '" + user + "'";
+
+            // an attacker can bypass authentication by setting user to this special value
+            // user = "' or 1=1 or ''='";
+
+            var userExists = false;
+            if (_context.Database.ExecuteSqlCommand(query) > 0) // Noncompliant
+            {
+                userExists = true;
+            }
+
+            return Content(userExists ? "success" : "fail");
+        }
+    }
+}