Menu
Just wondering if the entity framework is setup to handle things like SQL injection out the box?
Every tutorial I have seen, video, book or blog post. No one mentions security and seems to pass in variables straight into the context with no checks etc...
Just wondering what peoples thoughts were on this, and how do you handle this side of things?
211
Generally speaking, Entity Framework uses LINQ-to-Entities parametrized queries, and it is not susceptible to traditional SQL Injection attacks. However, Entity Framework does allow for the use of raw SQL queries when working with a relational database, introducing the risk of writing injectable queries.
Entity Framework is the best way to develop database applications. I used to develop my applications using LINQ to SQL but since Microsoft is not going to support it in future, it recommends to use Entity Framework. By the way, Entity Framework 4 in . NET 4 has much better performance than previous versions.
Yes, Entity Framework does handle some security issues such as SQL injection attacks if you use the LINQ to Entities queries.
In the case of SQL injection, it does that through SQL query parameters. If you use Entity SQL commands there are possible vectors of attack just as if you used ADO.NET.
I am not sure about other possible security vulnerabilities but you can read more here on MSDN with some tips on making sure Entity Framework is secure.
176
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
