Entity Framework的SQL运算符函数对SQL注入是否安全? [英] Are SQL operator functions for Entity Framework safe against SQL injection?
问题描述
这些函数可以访问SQL中的特殊功能(SqlClient)。例如喜欢或之间。他们也为他们提供了一个更好的共同抽象层。不要与存储过程功能混淆,这是另一个问题。
我的问题是,我似乎找不到完整的答案。是否可以安全使用,或者我将系统打开到 SQL注入攻击?编写常规的SqlCommands时,我总是使用绑定变量。
但移动到实体框架。对SQL语句的控制较少。我不介意,但是当我连接一个来自浏览器的字符串并将其传递给一个函数时,我不禁担心。
这是一个例子:
var QueryResult = EFContext.Table.Where(x =>
SqlFunctions.PatIndex(%+ Potentially_unsafe_search_keyword +%,
x.Column)> 0);
我做了一些测试,并跟踪发送到服务器的实际SQL。单引号自动转出。那么显然有一些保护。发生了一些消毒。插入语句确实使用绑定变量。我应该用单引号替换吗?
Linq中的每个常量,变量,参数都作为IDbCommand中的命令参数传递,而这又是由基础驱动程序逃脱的。
除非有错误,否则所有EF查询和SQL帮助函数都是安全的,防止SQL注入攻击。 b $ b
These functions give access to specialty functions (SqlClient) in SQL. For example 'like' or 'between'. And they also give a nicer common abstraction layer for them. Not to be confused with stored procedure(s) "functions" which is the topic of this other question.
My question that I can't seem to find a full answer for is. Are they safe to use, or am I opening the system to a SQL injection attack? I always use bound variables when writing regular SqlCommands.
But in moving to Entity Framework. There is less control over the SQL statements. I don't mind it, but I can't help worrying when I concatenate a string coming from a browser and pass it to a function.
Here is an example:
var QueryResult = EFContext.Table.Where(x =>
SqlFunctions.PatIndex("%" + Potentially_unsafe_search_keyword + "%",
x.Column) > 0);
I did some tests and traced the actual SQL sent to the server. Single quotes are escaped out automatically. So clearly there is some protection there. There is some sanitization taking place. Insert statements do use bind variables. Should I be content with the single quote replacement? Is there something else going on behind the scenes?
Every Constant, variable, parameter in Linq is passed as command parameter in IDbCommand, which in turn is escaped by underlying driver.
Unless there is a bug, all EF queries and SQL helper functions are safe against SQL injection attacks.
这篇关于Entity Framework的SQL运算符函数对SQL注入是否安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
