COMMON DEFECTS & SOLUTION

# Title Error Location Description

1 SQL Injection

2 Devide by zero 3 Check state of connection 4 5 Check value

Class ATM.DAO.AccountData, Line The query string could contain the following 24, 55, 62, 79 variables "cardId" which could come from user input ATM.Bus.WithdrawMoenyBl, Line Not check value of t.Denomination 51 ATM.Common.SqlConnection, Line Not check state of connection. An Argument 13 exception may be occurred. ATM.Common.SqlConnection, Line If finally block was executed, an exception was 35 unhandled ATM.DAO.CustomerData, Line 45 Not check value of cusID before return. Unreachable code Not check null Not check null Non-standard Hard code

6 Unreachable code ATM.DAO.ValidateUserCardbll, Line 75 7 Check null App.xaml, Line 35 InsertCardView.xaml, Line 38 ATM.DAO.CustomerData, Line 27, 44 10 Define constant ATM.DAO.ValidateUserCardbll, Line 53 11 Coding convention ATM.Bus.WithdrawMoenyBl, Line 13, 14 12 SQL Performance ATM.DAO.AccountData, Line 18 13 SQL Performance ATM.DAO.CardDAO, Line 21 8 Check null 9 KISS

Should not select * Should not select *

15 16 17 18 Define constant 19 20 Define constant

ATM.DAO.AccountData, Line 66-69 Can not use temporary variables. ATM.DAO.AccountData.UpdateAcc ountMoney(), Line 57 ATM.DAO.AccountData, Line 64 ATM.Common.SqlConnectionData, Line 20 ATM.Common.SqlConnectionData, Line 31 ATM.DAO.ATMDAO, Line 18 Do not necessary surround with while loop Do not necessary surround with while loop Use constant instead variable type. Empty general catch clause Should use constant for query command

Type

Severity

Cause

SQL Injection

Critical

Minor Minor Major Major Unreachable code Cosmetic Major Major Cosmetic Hard code Coding convention SQL Perfomance SQL Perfomance Memory leak Minor Cosmetic Major Moderate

Cosmetic Cosmetic Cosmetic Cosmetic Cosmetic

Hard code constant

Hard code constant

Cosmetic

Suggested preventive action or Solution

Consider using stored procedure or a parameterized SQL query instead of building the query with string concatenations. if (t.Denomination != 0) try { cnn = new SqlConnection(strcnn); } catch (Exception e) if (cnn!=null) cnn.Close(); if (cusID != " ") return cusID; else return "Nothing"; Not necessary if (AccountData.GetCurrentAccount(Card.ID) != null) Acc = AccountData.GetCurrentAccount(Card.ID); try { App.Vavigate(new InsertPINView(App.Acc.ID)); } catch (Exception e) cnn.Close(); Define pinLength = 6 in ATM.Common.ConstParameters Rename: list and listOfWithdraw select ID, cusID, Balance, OverDraft, Name, OverDraftLimit, WithdrawLimit select ID, PIN, [Status], AccID, CreateDate, ExpiredDate

float balance = (float) rd[0]; float od = (float) rd[1]; var cusID; while (reader.Read()) { cusID = (string) reader[0]; reader.Close() }; while (rd.Read()) { float balance = (float) rd[0]; float od = (float) rd[1]; rd.Close();} define STRCNN in ATM.Common.ConstParameters

Define QueryCommand int ATM.Common.ConstParameters