Entity Framework vs SQL Injection (security?)

Asked

Viewed 396 times

1

Hello! I’m new to development so excuse me if the question is silly. If it’s thanks link’s with references so I can better inform myself.

As much as I understand the concept and the use of SQL Injection I can not have enough malice to imagine attacks and practical uses, then I am worried about the security of my application. I am developing in . NET ASP MVC with C# and data access with Entity Framework. I read that the best method to avoid the infamous SQL Injection is to use store procedures for everything. But to do this with Entity Framework, it seems to me, would eventually remove all the practicality of this tool.

Then comes my doubt. If I make such an entity:

public class Cliente
{
    public int ClienteID { get; set; }
    public string Nome { get; set; }
    public string CNPJ { get; set; }
    public string Telefone { get; set; }
}

And create a standard Controller, using Scaffolding where I have an Edit action:

[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Edit([Bind(Include="ID,Nome,Cnpj,Telefone")] Cliente cliente)
{
    if (ModelState.IsValid)
    {
        db.Entry(cliente).State = EntityState.Modified;
        db.SaveChanges();
        return RedirectToAction("Index");
    }
    return View(cliente);
}

I am subject to SQL Injection if my user enters an Insert or Delete clause in the Name field of my View? If so, how to prevent this?

I see a lot of tutorials and courses teaching like this, but no one comments on security issues.

sql asp.net-mvc entity-framework security-guard

1 answer

1


When we use LINQ to Entities it is free from SQL Injection yes. I’m not sure when using ADO.NET.

Anyway. The way you are doing it is not possible to inject SQL codes.

  • Thanks @Manaces Do you understand security well? Could you point me some text so I know better?

  • You have your own documentation here: https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/ef/security-considerations

  • As long as you don’t use any SQL. Security is extremely complex and it won’t be a text that will help much. It actually gets in the way, because it’s common.

  • @Kkkkk moustache! Yeah, especially when we are in a hurry and nowadays everything seems urgent, we have to do a little work now and "then we see better". But somewhere I have to start, right? I’ve even been interested in pursuing a career in IT security, but I don’t know any course or anything that would give way to the stones for this.

Browser other questions tagged sql asp.net-mvc entity-framework security-guard

You are not signed in. Login or sign up in order to post.