Entity Framework Code First - SQL Injection prevention

ef-code-first entity-framework

Question

With MySQL, I'm use EF's Code First methodology.

I'm curious as to whether that approach's use of EF has built-in defenses against SQL Injection, or if I must write a SQL string query in the MySqlCommand and include other parameters.

Although I believe I don't need to, I want to be certain.

Edit (sample of code snippets):

MyContext cont = new MyContext();
cont.Comment.AddObject(new Comment { Content = "my string" });
cont.SaveChanges();

or

string query = "INSERT INTO Comment(Content)VALUES(@myVal)";

MySqlCommand comm = new MySqlCommand(query);
comm.CommandType = CommandType.Text;

comm.Parameters.AddWithValue("@myVal", "my string");
...and later execute that query

For me, the first method is considerably quicker to code.

1
5
11/26/2013 10:34:19 AM

Popular Answer

Your initial code is immune to SQL Injection.

Any information you supply to the EntityFramework is delivered as a Command to the inner IDbCommand.

But if you're using EntityFramework to execute direct queries, be careful.

a phrase taken from MSDN.

Although query composition is possible in LINQ to Entities, it is performed through the object model API. Unlike Entity SQL queries, LINQ to Entities queries are not composed by using string manipulation or concatenation, and they are not susceptible to traditional SQL injection attacks. "

8
11/26/2013 11:33:36 AM


Related Questions





Related

Licensed under: CC-BY-SA with attribution
Not affiliated with Stack Overflow
Licensed under: CC-BY-SA with attribution
Not affiliated with Stack Overflow