none
Entity Framework (5.0) - passing null value with parameter RRS feed

  • Question

  • I am using contrast security (third party tool that indicates SQL Injection, Vulnerabilities) and entity framework 5.0, my code is like this:

    public int Insert(UserAddress userAddress)
    {
        _context.Entry(userAddress).State = EntityState.Added;
        _context.SaveChanges();
        return userAddress.Id;
    }

    When SaveChanges() gets executed, an insert query is generated like this:

    INSERT [dbo].[Address] ([UserId], [Name], [Address1], [Address2],
                            [City], [State], [PostalCode], 
                            [Location], [LocationTypeId],
                            [BusinessName], [DeliveryInstructions],
                            [IsDefault], [SortOrder])
    VALUES ('111111a1-22z2-33x3-44y4-fbad42c09c3a', @2, 'address1', null,
            'Alpharetta', 'GA', 30005,
            'POINT (-80.2427068 30.0925161)', 0,
            '', '',
            1, 0)

    Now, according to contrast security, passing "null" in query is not ethical, it's bad practice - but I want to allow null values! I want to pass null as parameter like this: @1 = null 

    Can I pass null values using SQL parameters to the SaveChanges() method?

    Is there any way to handle this?


    Thursday, November 2, 2017 1:01 PM

All replies

  • Vote as helpfulNow, according to contrast security, passing "null" in query is not ethical, it's bad practice - but I want to allow null values! I want to pass null as parameter like this: @1 = null 

    So pass it..

    Can I pass null values using SQL parameters to the SaveChanges() method?

    No

    Thursday, November 2, 2017 4:01 PM
  • "So pass it.."

    May I know how??

    Friday, November 3, 2017 6:33 AM
  • https://stackoverflow.com/questions/18116988/how-would-i-add-a-parameter-to-entity-framework-raw-sql-command

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Friday, November 3, 2017 10:10 AM
  • I can't use store procedure, its existing code, I want to pass parameter to savechanges() method...

    so can I confirm that, while using null properties in EF model.. EF creates Vulnerable code When we uses savechanges() method ??

    Tuesday, November 7, 2017 2:17 PM
  • I can't use store procedure, its existing code, I want to pass parameter to savechanges() method...

    so can I confirm that, while using null properties in EF model.. EF creates Vulnerable code When we uses savechanges() method ??

    Anything is vulnerable, as in the example.

    https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/

    So it's up to you the developer to know your situations as to when things would be at risk,  like if using EF  up at the UI where the UI could be hacked, as opposed to EF being used in a DAL in a N-tier solution where the likelihood of EF being compromised is slim to none with none leading.

    Tuesday, November 7, 2017 6:23 PM