From 21dd5136514498c4c65f95fe7f5dd283b062c04c Mon Sep 17 00:00:00 2001
From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com>
Date: Mon, 13 May 2024 22:19:49 +0000
Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20(CodeQL)=20SQL=20query=20built=20fr?=
 =?UTF-8?q?om=20user-controlled=20sources?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 WebGoat/App_Code/DB/MySqlDbProvider.cs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/WebGoat/App_Code/DB/MySqlDbProvider.cs b/WebGoat/App_Code/DB/MySqlDbProvider.cs
index 0bc79812..4acf199a 100644
--- a/WebGoat/App_Code/DB/MySqlDbProvider.cs
+++ b/WebGoat/App_Code/DB/MySqlDbProvider.cs
@@ -200,8 +200,9 @@ public string GetCustomerEmail(string customerNumber)
             
                 using (MySqlConnection connection = new MySqlConnection(_connectionString))
                 {
-                    string sql = "select email from CustomerLogin where customerNumber = " + customerNumber;
+                    string sql = "select email from CustomerLogin where customerNumber = @customerNumber";
                     MySqlCommand command = new MySqlCommand(sql, connection);
+                    command.Parameters.AddWithValue("@customerNumber", customerNumber);
                     output = command.ExecuteScalar().ToString();
                 } 
             }