开发者

Potential for SQL injection here?

This may be a really dumb question but I figure why not...

I am using RIA Services with Entity Framework as the back end. I have some places in my a开发者_如何转开发pp where I accept user input and directly ask RIA Services (and in turn EF and in turn my database) questions using their data. Do any of these layers help prevent security issues or should I scrub my data myself?

For example, whenever a new user registers with the app, I call this method:

[Query]
public IEnumerable<EmailVerificationResult> VerifyUserWithEmailToken(string token)
{
    using (UserService userService = new UserService())
    {
        // token came straight from the user, am I in trouble here passing it directly into
        // my DomainService, should I verify the data here (or in UserService)?
        User user = userService.GetUserByEmailVerificationToken(token);
        ...
    }
}

(and whether I should be rolling my own user verification system is another issue altogether, we are in the process of adopting MS's membership framework. I'm more interested in sql injection and RIA services in general)


sql injection is based on unescaped strings being used when generating a raw sql string

eg

"SELECT * FROM `user` WHERE `name` = '" . $name . "'"

is vulnerable, because the value of $name could contain a ' mark and thus modify the meaning of the sql statement. a good example is if $name is ' OR 1=1; -- hence making that sql query :

"SELECT * FROM `user` WHERE `name` = '' OR 1=1; --'"

which is very useful for bypassing password checks i can tell you :)

the correct way around this is to escape the ' character to \' (for mysql). that is why languages such as php provide mysql_real_escape_string. however, if you use a proper parameterised query system, then you can pass through anything you like and the library will escape it correctly.

looking at your code, there's no reason to check the value of token unless your UserService does some dodgy sql string generation (and i'm sure entity-framework is not doing that, so you should be just fine)


EF will parameterize this for you, however if you really want to make sure start up SQL Profiler and see what is being sent to SQL Server


You should be safe, I'm sure EF is generating parametrized queries to retrieve the data from your database.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜