C#: Add some examples where adapter is used in conjunction with a tainted command.

Author: michaelnebel

csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.cs

@@ -84,6 +84,17 @@ public void GetDataSetByCategory()
                 var result = new DataSet();
                 adapter.Fill(result);
             }
+
+            // BAD: Text from a local textbox
+            using (var connection = new SqlConnection(connectionString))
+            {
+                var queryString = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
+                  + box1.Text + "' ORDER BY PRICE";
+                var cmd = new SqlCommand(queryString);
+                var adapter = new SqlDataAdapter(cmd);
+                var result = new DataSet();
+                adapter.Fill(result);
+            }
         }
 
         System.Windows.Forms.TextBox box1;

csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjectionSqlite.cs

@@ -37,6 +37,11 @@ public void InjectUntrustedData()
             adapter = new SQLiteDataAdapter(untrustedData.Text, connectionString);
             result = new DataSet();
             adapter.Fill(result);
+
+            // BAD: untrusted data is not sanitized.
+            adapter = new SQLiteDataAdapter(cmd);
+            result = new DataSet();
+            adapter.Fill(result);
         }
     }
 }