实体框架,LinqToSQL和sql注入 [英] Entity Framework, LinqToSQL and sql injection
问题描述
我认为这可能不是因为ORM生成的SQL应该是sql-injection是免费的。但是我不确定。
当您按照预期的方式使用这些框架时,即直接使用实体/表格。所有字符串比较(即,其中name ='smith'
)被参数化。
唯一的脆弱点是: / p>
-
任何字符串都可以直接针对上下文执行。
-
执行动态SQL的存储过程 c> dbContext.ExecuteQuery(); 使用任何参数
Is it possible for a project using entirely LinqToSQL or Entity Framewok to suffer from SQL Injection.
I think that probably not because the SQL that the ORM generates should be sql-injection free. But I'm not sure.
When you use those frameworks as intended, i.e. the entities/tables directly, then no. All string comparisons (i.e. where name = 'smith'
) are parameterized.
The only vulnerable spots are:
any string can be executed directly against the context.
dbContext.ExecuteQuery();
with any kind of destructive string.a stored procedure executing dynamic SQL using any parameters given
这篇关于实体框架,LinqToSQL和sql注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!