Menu
I know that if I use linq to sql, everything will be parametrised and sql injection safe. But how about IQueryable?
For example, I can cast some entity to Iqueryable:
var myquery = mytesttable.AsQueryable();
var qText = "name="+ "\""+DynamicSearchCondition+ "\"";
myquery = myquery.Where(qText);
Then when the query is run, from trace I can see that the DynamicSearchCondition passed in is not parametrised.
Initially I thought this is not sql injection proof, but I then tried some examples, and just can't break this one. Does it mean it is sql injection free then (I think it is now)?
If that is true, will it mean all IQueryable are sql injection safe?
511
Generally speaking, Entity Framework uses LINQ-to-Entities parametrized queries, and it is not susceptible to traditional SQL Injection attacks. However, Entity Framework does allow for the use of raw SQL queries when working with a relational database, introducing the risk of writing injectable queries.
Yes, LINQ will help stop SQL injection. LINQ to SQL passes all data to the database via SQL parameters. So, although the SQL query is composed dynamically, the values are substitued server side through parameters safeguarding against the most common cause of SQL injection attacks.
Absolutely it is vulnerable to injection attacks.
For your particular example:
var myquery = mytesttable.AsQueryable();
var qText = "name="+ "\""+DynamicSearchCondition+ "\"";
myquery = myquery.Where(qText);
would fail with this:
var DynamicSearchCondition= "\" or \"\"=\"";
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
