Potential for SQL injection here?
This may be a really dumb question but I figure why not...
I am using RIA Services with Entity Framework as the back end. I have some places in my a开发者_如何转开发pp where I accept user input and directly ask RIA Services (and in turn EF and in turn my database) questions using their data. Do any of these layers help prevent security issues or should I scrub my data myself?
For example, whenever a new user registers with the app, I call this method:
[Query]
public IEnumerable<EmailVerificationResult> VerifyUserWithEmailToken(string token)
{
using (UserService userService = new UserService())
{
// token came straight from the user, am I in trouble here passing it directly into
// my DomainService, should I verify the data here (or in UserService)?
User user = userService.GetUserByEmailVerificationToken(token);
...
}
}
(and whether I should be rolling my own user verification system is another issue altogether, we are in the process of adopting MS's membership framework. I'm more interested in sql injection and RIA services in general)
sql injection is based on unescaped strings being used when generating a raw sql string
eg
"SELECT * FROM `user` WHERE `name` = '" . $name . "'"
is vulnerable, because the value of $name
could contain a ' mark and thus modify the meaning of the sql statement. a good example is if $name is ' OR 1=1; --
hence making that sql query :
"SELECT * FROM `user` WHERE `name` = '' OR 1=1; --'"
which is very useful for bypassing password checks i can tell you :)
the correct way around this is to escape the ' character to \' (for mysql). that is why languages such as php provide mysql_real_escape_string
. however, if you use a proper parameterised query system, then you can pass through anything you like and the library will escape it correctly.
looking at your code, there's no reason to check the value of token
unless your UserService does some dodgy sql string generation (and i'm sure entity-framework is not doing that, so you should be just fine)
EF will parameterize this for you, however if you really want to make sure start up SQL Profiler
and see what is being sent to SQL Server
You should be safe, I'm sure EF is generating parametrized queries to retrieve the data from your database.
精彩评论