0

This answer describes how an ORM doesn't protect me from SQL injections, however I'm not entirely clear on how I would "do things wrong" vs "doing things right".

Can someone provide an example in EntityFramework, or Telerik OpenAccess on how SQL injection can be done, and mitigated?

Community
  • 1
  • 1
makerofthings7
  • 60,103
  • 53
  • 215
  • 448
  • It's not necessarily that the concept of an ORM would fail you, it's that if an ORM has a vulnerability, that's where the issue comes in. At least, that's what I gather. Same with any other framework, library, or whole application. – Zarathuztra Dec 07 '13 at 21:40

1 Answers1

2

Any mature ORM will be void of sql-injection vulnerabilities as long as you communicate through the object model. So if you have a method (with Entity Framework) that executes

dbContext.Companies.Where(c => c.Name == someParameterFromUI)

a user can enter a search parameter like "'x'; drop table Users;", but the query engine will parametrize the query and the only result is that no companies will be found (unless some company was a barrel of laughs when they coined their name).

But..

Any mature ORM will have its backdoors by which you can write vulnerable code if you insist. NHibernate and EF (I don't know OpenAccess) offer ways to send raw SQL queries to the database. So you can use them as unsafe as you want. I'd rather say though, that doing so you're not using an ORM any more. You're only using the database connection that the ORM tool kindly exposes in a user-friendly API.

Gert Arnold
  • 105,341
  • 31
  • 202
  • 291