locked
Sql injection in dynamic data RRS feed

  • Question

  • User2057255475 posted

    Hi All,

    I have doubt regarding asp net dynamic data application. In order to provide filtering in asp net dynamic data, generally we provide text box and assign it to whereparameters of entitydatasource something like below.

      <WhereParameters>
                    <asp:ControlParameter ControlID="txt" DbType="String" />            
      </WhereParameters>

    If user tries to enter some sql injection to the text box control and perform the filtering, does the framewrok hanldes this kind of scenarios or we need to do any preventive measures against this?

    Thanks,

    Praveen.

    Monday, February 24, 2014 9:38 AM

Answers

  • User697462465 posted

    Hi Praveen Kadali,

    Please don't need to worry about it, becuase the ControlParameter can detect the sql injection, you can try to test it in your project.

    When you input '--' in your textbox as filter condition, it will only as filter value, without sql statement.

    Hope it helps.

    Best Regards,
    Terry Guo

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, February 25, 2014 1:56 AM

All replies

  • User697462465 posted

    Hi Praveen Kadali,

    Please don't need to worry about it, becuase the ControlParameter can detect the sql injection, you can try to test it in your project.

    When you input '--' in your textbox as filter condition, it will only as filter value, without sql statement.

    Hope it helps.

    Best Regards,
    Terry Guo

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, February 25, 2014 1:56 AM
  • User-330204900 posted

    Because it uses Entity Framework or Linq to SQL you get any queries are parameterised so you need not worry. If you would like to test this out just run SQL Monitor and try injecting something into the query using a filter etc. You will then see how the ORMs and DataSources handle it.

    Thursday, February 27, 2014 10:04 AM