Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Control SQL injection in MVC

It's my first time developing using MVC and I want to make it secure.

When I use HtmlEncode it converts the String to the equivalent HTML String.

The user can enter in the search for example ali' or ali-- and they exist in my database. How to control my search and login from SQL injection please?

Also any tutorial or best practice to prevent script injection?

like image 304
AMH Avatar asked Jan 31 '12 12:01

AMH


3 Answers

LINQ and Entity Framework already check for SQL Injection for you.

But you should read the documentation anyhow:

LINQ MSDN Link (section SQL-Injection Attacks)

Entity Framework MSDN Link (section Security Considerations for Queries)

Hope it helps!

like image 198
Cacho Santa Avatar answered Nov 15 '22 21:11

Cacho Santa


As long as you use parameterized queries or a ORM like NHibernate or Entity Framework you don't have to do anything to prevent SQL injection. Parameters are passed to the server outside the actual SQL statement, as part of the RPC call to the server. Most ORMs use parameterized queries for performance reasones, so they are not vulnerable to SQL injection.

SQL Injection is possible only if you create a SQL statement by concatenating string values.

That said, you still have to be wary of user input to prevent script injection attacks. Fortunately, ASP.NET MVC already provides a request validation mechanism (see Understanding Request Validation).

like image 35
Panagiotis Kanavos Avatar answered Nov 15 '22 22:11

Panagiotis Kanavos


If you use LINQ to perform your database queries, it eliminates that kind of SQL injection risks for you.

like image 40
Hanno Avatar answered Nov 15 '22 21:11

Hanno