Control SQL injection in MVC

asp.net asp.net-mvc sql-injection
31,354

Solution 1

LINQ and Entity Framework already check for SQL Injection for you.

But you should read the documentation anyhow:

LINQ MSDN Link (section SQL-Injection Attacks)

Entity Framework MSDN Link (section Security Considerations for Queries)

Hope it helps!

Solution 2

As long as you use parameterized queries or a ORM like NHibernate or Entity Framework you don't have to do anything to prevent SQL injection. Parameters are passed to the server outside the actual SQL statement, as part of the RPC call to the server. Most ORMs use parameterized queries for performance reasones, so they are not vulnerable to SQL injection.

SQL Injection is possible only if you create a SQL statement by concatenating string values.

That said, you still have to be wary of user input to prevent script injection attacks. Fortunately, ASP.NET MVC already provides a request validation mechanism (see Understanding Request Validation).

Solution 3

If you use LINQ to perform your database queries, it eliminates that kind of SQL injection risks for you.

Share:
31,354
AMH
Author by

AMH

Updated on July 09, 2022

Comments

  • AMH
    AMH almost 2 years

    It's my first time developing using MVC and I want to make it secure.

    When I use HtmlEncode it converts the String to the equivalent HTML String.

    The user can enter in the search for example ali' or ali-- and they exist in my database. How to control my search and login from SQL injection please?

    Also any tutorial or best practice to prevent script injection?

  • AMH
    AMH over 12 years
    thanks does it support ROM databases , what about script injection please
  • Cacho Santa
    Cacho Santa over 12 years
    @AMH I believe that should be another question, but this link could be helpful: asp tutorials
  • AMH
    AMH over 12 years
    which you prefer please LINQ or EF
  • AMH
    AMH over 12 years
    but I tired to drop database I know by passing values by parameters
  • Cacho Santa
    Cacho Santa over 12 years
    In my particular case I prefer EF, but I don't know what are you trying to build... Actually I made my decision reading this
  • AMH
    AMH over 12 years
    I have one database that contains my website, and will connect, add, delete from it
  • Panagiotis Kanavos
    Panagiotis Kanavos over 12 years
    No matter what you pass to the parameter (and by parameter I meand a DbParameter-derived object like SqlParameter (msdn.microsoft.com/en-us/library/…), it will be passed to the server as a simple string. It is never executed. You can still get into trouble if you use the stored value to construct a SQL statement by string concatenation in some other part of your application.
  • Cacho Santa
    Cacho Santa over 12 years

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

System.Web.HttpContext.Current.get returned null in asp.net mvc controller
.NET Core 2 CookieAuthentication ignores expiration time span
Form Builder On the fly With asp.net mvc site
Prevent ASP.NET from redirecting to login.aspx
What is SignalR's browser compatibility?
Posting to another model from a form in ASP.NET MVC
ASP.Net Core: Unobtrusive validation not working
What is the difference between JSON.NET DataContractJsonSerializer and the Newtonsoft JSON serializer
ASP.NET MVC How safe are static variables
Facebook login throws "Given URL is not allowed by the Application configuration.: One or more of the given URLs is not allowed