是否可以使用这种语法将sql注入实体框架？ [英] is posible to inject sql into entity framework with this syntax?

问题描述

Model.DBEntities db = new Model.DBEntities();
if (db.Users.Any(q => q.UserName == txtUserName.Text && q.Password == MD5Password))
{
 Model.User User = db.Users.First(q => q.UserName == txtUserName.Text && q.Password == MD5Password);
}

推荐答案

不，这是不可能的。实体框架会将您的字符串放入Sql-Parameters以执行查询，因此输入的文本不能成为/修改Sql-Statement本身的一部分。

No, it's not possible. Entity Framework will put your strings into Sql-Parameters in order to execute the query so the entered text can't become part of/modify the Sql-Statement itself.

Sascha是对的 75％，因为即使使用Entity也可以进行SQL注入，尤其是在使用Entity SQL时。。 Linq to Entities对于sql注入是完全安全的。请注意，您需要遵守的其他规则很少。请参阅：安全注意事项（实体框架） [ ^ ]

Sascha is right in 75%, becasue SQL injection is possible even using Entity, especially when Entity SQL is used.. Linq to Entities is completlty safe about sql injection. Note, that there is few other rules you need to respect. Please see: Security Considerations (Entity Framework)[^]

不，这是不可能的，但它也不是懒惰的借口，无论如何都不能验证和消毒你的输入。

No, it's not possible, but it is also not an excuse to be lazy and not validate and sanitize your inputs anyway.

这篇关于是否可以使用这种语法将sql注入实体框架？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！