In my experience, we can use replace() filtering && and | to prevent command injection.
Our code need to send base64String to another process, but there is Stored Command Injection scaned by checkmarx, can Convert.ToBase64String(Encoding.UTF8.GetBytes(jsonFromDb)) deal with it? or we still need to do replacement
Good question. I think you should still make sure that you use prepared statements. Base64 only contains the letters of the ABC (upper and lowercase), digits,
+,/and=as final padding character. That doesn't provide characters as quotes and such.However, what would happen if somebody decides to use a different alphabet? What if somebody decides that base 64 is a waste of space? Because that's certainly what it is if you convert existing text to base 64. Then you'd suddenly be in problems.
All in all, using prepared statements is more secure, more performant and the best way of handling command injection. As an added bonus, you'd get rid of that pesky checkmarx.
I'd only use base 64 if there is absolutely no other way to change that other process, and if that process cannot be reached otherwise. In that case you might want to use base64url though, as it is likely you can do even less with
_and-instead of+,/and=.But to be honest, that code needs to get cleaned up pronto.