实体框架+ sql注入
[英]Entity Framework + sql injection
问题描述
I'm building up an IQueryable where I am applying relevant filters, and I come across this line of code here. 
我正在构建一个IQueryable ,我正在应用相关的过滤器,我在这里遇到了这行代码。
items = items.OrderBy(string.Format("{0} {1}", sortBy, sortDirection));
Is this snippet vulnerable to SQL injection? 这段代码容易受到SQL注入吗? Or are these (string) parameters parameterized behind the scenes? 或者在幕后参数化这些(字符串)参数? I assumed that all Linq queries were escaped and parameterized for me, but the fact that I am able to pass in a string directly like this is throwing me off. 我假设所有Linq查询都为我进行了转义和参数化,但事实上我能够像这样直接传入一个字符串,这让我失望了。
1 个解决方案
解决方案1
18 已采纳 2016-09-07 05:24:58
First Point : 第一点:
You have to avoid returning IQueryable<T> types from methods that are exposed to potentially untrusted callers for the following reasons: 您必须避免从暴露给可能不受信任的调用方的方法返回IQueryable<T>类型, 原因如下:
A consumer of a query that exposes an
IQueryable<T>type could call methods on the result that expose secure data or increase the size of the result set.公开IQueryable<T>类型的查询的使用者可以在结果上调用公开安全数据或增加结果集大小的方法。 For example, consider the following method signature:例如,请考虑以下方法签名: public IQueryable<Customer> GetCustomer(int customerId)
A consumer of this query could call .Include("Orders") on the returned IQueryable<Customer> to retrieve data that the query did not intend to expose. 此查询的使用者可以在返回的IQueryable<Customer>上调用.Include("Orders")以检索查询不打算公开的数据。 This can be avoided by changing the return type of the method to IEnumerable<T> and calling a method (such as .ToList() ) that materializes the results. 通过将方法的返回类型更改为IEnumerable<T>并调用实现结果的方法(如.ToList() ), .ToList()这种情况。
- Because
IQueryable<T>queries are executed when the results are iterated over, a consumer of a query that exposes anIQueryable<T>type could catch exceptions that are thrown.因为迭代结果时执行IQueryable<T>查询,所以公开IQueryable<T>类型的查询的使用者可以捕获抛出的异常。Exceptionscould contain information not intended for the consumer.Exceptions可能包含不适合消费者的信息。
Second Point : 第二点:
How to prevent SQL injection attacks ? 如何防止SQL注入攻击?
- Entity SQL injection attacks: 实体SQL注入攻击:
SQL injection attacks can be performed in Entity SQL by supplying malicious input to values that are used in a query predicate and in parameter names . 通过向query predicate和parameter names中使用的值提供malicious input ,可以在Entity SQL中执行SQL注入攻击。
To avoid the risk of SQL injection 避免 SQL注入的风险
you should never combine user input with Entity SQL command text
Entity SQL queries accept parameters everywhere that literals are accepted. 实体SQL查询accept parameters任何accept parameters文字的accept parameters 。 You should use parameterized queries instead of injecting literals from an external agent directly into the query. 您应该使用参数化查询,而不是将外部代理中的文字直接注入查询。 You should also consider using query builder methods to safely construct Entity SQL. 您还应该考虑使用查询构建器方法来安全地构造实体SQL。
- LINQ to Entities injection attacks: LINQ to Entities注入攻击:
Although query composition is possible in LINQ to Entities, it is performed through the object model API. 尽管在LINQ to Entities中可以进行查询组合,但它是通过对象模型API执行的。 Unlike Entity SQL queries, LINQ to Entities queries are not composed by using string manipulation or concatenation, and they are not susceptible to traditional SQL injection attacks. 与实体SQL查询不同,LINQ to Entities查询不是使用字符串操作或连接组成的,并且它们不易受传统SQL注入攻击的影响。
Reference : Security Considerations (Entity Framework) 参考: 安全考虑因素(实体框架)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.