locked
SQL Injection in LINQ Object Query RRS feed

  • Question

  • Hi, I have written following code that works fine. Just wanted to know if this is safe to use? Can this cause SQL Injection if IdXValues are user inputs or comes from browser?

    string condition = "it." + setting.FirstID + " = @id1 AND it." + setting.SecondID + " = @id2 AND it.ThirdID = @id3";
                    System.Data.Entity.Core.Objects.ObjectQuery<Partner> query = partners.Where(condition,
                                new System.Data.Entity.Core.Objects.ObjectParameter("id1", this.Id1Value),
                                new System.Data.Entity.Core.Objects.ObjectParameter("id2", this.Id2Value),
                                new System.Data.Entity.Core.Objects.ObjectParameter("id3", this.Id3Value));

                    var result = query.Execute(System.Data.Entity.Core.Objects.MergeOption.NoTracking).ToList();

    Sunday, November 30, 2014 2:29 PM

All replies

  • It has a whole section about EF and SQL Injection attacks.

    http://msdn.microsoft.com/en-us/library/vstudio/cc716760(v=vs.100).aspx

    Sunday, November 30, 2014 9:51 PM
  • Thanks darnold924.

    I did read this article before posting this question but i am requiring help in interpreting it for the above scenario. 

    On one hand i have constructed the where condition dynamically as a SQL string but on other hand the query is parameterized. In this scenario, is SQL injection possible?

     

    Monday, December 1, 2014 12:50 AM
  • The fact that you are using Linq kind of mitigates the SQL Injection attack.

    http://www.devx.com/dotnet/Article/34653

    The fact that you are using parameters kind of mitigates the attack, just like using them in inline T-SQL and sprocs. 

    You can always validate the data inputted by a user and prevent SQL Injection attacks that way too. 

    Monday, December 1, 2014 1:48 AM