2

I am using asp.net mvc 3 with WCF with EF 4.1 With Sql Azure. I am building the search engine for my application. and using the dynamic Linq to build queries. I want to avoid the sql injetion in this scenario. what is the best practice for the same ? what are the precaoution i should take in this scenario ?

Red Swan
  • 15,157
  • 43
  • 156
  • 238

2 Answers2

8

As long as your are building your queries through LINQ, then you are not vulnerable to SQL injection. While this doesn't mean that your code is invulnerable to ALL sorts of attacks (brute forcing passwords, etc.), you won't be vulnerable to SQL injection.

Adam Robinson
  • 182,639
  • 35
  • 285
  • 343
1

Dynamic LINQ automatically protects against a SQL injection attack, even if you build up your arguments using Request.QueryString etc.

You can add your own layer of very basic checking by making sure that no input strings contain the ";" character, which is typically used in SQL injection to allow entering custom SQL queries.

See also http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx.

Roy Dictus
  • 32,551
  • 8
  • 60
  • 76
  • Just a "fail fast" measure; you can reject such input strings right away rather than down the chain. – Roy Dictus Dec 02 '11 at 16:32
  • 3
    But why reject them at all? Simply having a semicolon is not a sign of malicious behavior. If the input doesn't *need* sanitizing, why impose arbitrary restrictions on the user? – Adam Robinson Dec 02 '11 at 17:38
  • I agree with @Adam, but if you were going to scan for malicious input, wouldn't you look for single quotes anyway? – Richard Astbury Dec 02 '11 at 19:20