Validate Post Data in ASP.NET MVC

Question

I have this controller method below:

[HttpPost]
public ActionResult Login(UserDetails userdetails)

What did I do so far ?

Replaced potential SQL Candidates in my form (via JQuery side , eg. replace '&' by 'amp')
I have added ModelState.IsValid() in ServerSide to check.

Are these two checks enough or How should I make sure that userDetails.UserName is free from Injected SQL ? (Like 1=1 SQL Injection attacks)

How do you plan to access database - ADO.NET or ORM like EF or Dapper? — Win, Sep 07 '18 at 20:52
it is generally recommended to not try these on your own. Just let the frameworks built for this, to do this for you. These are built for years do perform these tasks. — Neville Nazerane, Sep 08 '18 at 00:09

score 1 · Accepted Answer · answered Sep 07 '18 at 19:53

1

Using Entity Framework, Dapper or regular parameterized query should be sufficient enough.

answered Sep 07 '18 at 19:53

Roman Svitukha

I'm already using Entity framework. Does it mean, EF is free from SQL Injection Attacks altogether ? – now he who must not be named. Sep 07 '18 at 19:56
1

Yes if you are using parameterized queries or LINQ. Although query composition is possible in LINQ to Entities, it is performed through the object model API. Unlike Entity SQL queries, LINQ to Entities queries are not composed by using string manipulation or concatenation, and they are not susceptible to traditional SQL injection attacks. (ref :https://learn.microsoft.com/en-us/dotnet/framework/data/adonet/ef/security-considerations) – Roman Svitukha Sep 07 '18 at 20:01

1 Answers1