VeraCode报告ServiceStack OrmLite对SQL命令("SQL注入")(CWE ID 89)中使用的特殊元素进行了不正确的中和 [英] VeraCode Reports ServiceStack OrmLite with Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE ID 89)
问题描述
好,所以我在Web API中使用ServiceStack OrmLite满足我的数据需求.当我将代码提交给VeraCode进行代码安全性扫描和验证时,结果报告显示OrmLite显示了潜在的SQL Injection攻击媒介.
Ok, so I am using ServiceStack OrmLite for my data needs in my Web API. When I submitted my code to VeraCode for code security scanning and verification the result report showed that OrmLite shows potential SQL Injection attack vectors.
ServiceStack.OrmLite.dll GridReader DapperMultiple(System.Data.IDbConnection, string, object, System.Data.IDbTransaction,System.Nullable<int>, System.Nullable<System.Data.CommandType>)
ServiceStack.OrmLite.dll int ExecuteCommand(System.Data.IDbConnection, System.Data.IDbTransaction, string, System.Action<System.Data.IDbCommand,object>, object, System.Nullable<int>, System.Nullable<System.Data.CommandType>)
ServiceStack.OrmLite.dll int ExecuteDapper(System.Data.IDbConnection, string, object, System.Data.IDbTransaction, System.Nullable<int>, System.Nullable<System.Data.CommandType>)
ServiceStack.OrmLite.dll object Scalar(System.Data.IDbCommand, string)
ServiceStack.OrmLite.dll System.Data.IDataReader ExecReader(System.Data.IDbCommand, string)
ServiceStack.OrmLite.dll System.Data.IDataReader ExecReader(System.Data.IDbCommand, string, System.Collections.Generic.IEnumerable<System.Data.IDataParameter>)
我不确定该如何分类.我应该用EntityFramework替换OrmLite吗?
I'm not sure how to triage this. Should I replace OrmLite with EntityFramework?
推荐答案
在使用VeraCode进行代码读取期间,建议的适当补救措施是用EntityFramework 6.1替换ServiceStack ORM.
During a code-readout with VeraCode the suggested proper remediation was to replace ServiceStack ORM with EntityFramework 6.1.
这只是对当前存储库模式的较小更新.
This was only a minor update to the repositories pattern currently in place.
这篇关于VeraCode报告ServiceStack OrmLite对SQL命令("SQL注入")(CWE ID 89)中使用的特殊元素进行了不正确的中和的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
