user2228413
Reputation:
Sql Injection Risk at Entity Framework with Old Type Commands
Is there any risk for use commands like below?
using (var db = new DbConnection())
{
db.Database.ExecuteSqlCommand("command and maybe @param", new SqlParameter("param", param));
}
I need to use some old type commands for select protected columns and I wonder is there any sql injection risk even for entity framework.
Upvotes: 1
Views: 76
Answers (1)
viggity
Reputation: 15227
As long as you're not doing any string concatenation in code OR your sql command, you are safe from SQL Injection.
EDIT
For clarification, it is ok if your parameters are string values. But if your parameter contains SQL you're probably not safe. As far as what I meant by string concatenation in your SQL command, you would likely have to use the SQL command EXEC in order to get it to work and you'd be in trouble.
SAFE:
SELECT * FROM Employees WHERE employeeId = @employeeId
DANGEROUS:
EXEC ('SELECT * FROM Employees WHERE employeeId = ''' + @employeeId + '''')
-OR-
EXEC SP_EXECUTESQL ('SELECT * FROM Employees WHERE employeeId = ''' + @employeeId + '''')
Upvotes: 1
Related Questions
- Entity Framework Core 2.0 FromSql and SQL Injection
- Entity Framework + sql injection
- Making raw SQL safe in Entity Framework
- SQL injection with Entity Framework
- Possibilities of SQL Injection with EFCTP and .net mvc
- Are SQL operator functions for Entity Framework safe against SQL injection?
- SQL injection concerns
- Entity Framework 4.1 SQL Injection
- EntitySQL and SQL injection
- LINQ to Entities and SQL Injection