Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Entity Framework, LinqToSQL and sql injection

Is it possible for a project using entirely LinqToSQL or Entity Framewok to suffer from SQL Injection.

I think that probably not because the SQL that the ORM generates should be sql-injection free. But I'm not sure.

like image 665
Carlos Muñoz Avatar asked Aug 13 '10 04:08

Carlos Muñoz


2 Answers

When you use those frameworks as intended, i.e. the entities/tables directly, then no. All string comparisons (i.e. where name = 'smith' ) are parameterized.

The only vulnerable spots are:

  • any string can be executed directly against the context. dbContext.ExecuteQuery(); with any kind of destructive string.

  • a stored procedure executing dynamic SQL using any parameters given

like image 109
p.campbell Avatar answered Oct 06 '22 23:10

p.campbell


"It depends".

Plain LINQ queries against L2S or EF entities are injection safe, but you could always call a stored procedure or function that is not injection safe.

That would clearly be an edge case, but yes it happens that people write SPs/functions that are open to injection (composing SQL-in-strings with parameter values inside the proc).

like image 30
KristoferA Avatar answered Oct 06 '22 23:10

KristoferA