Possible SQL-Injection with user defined functions and entity framework?

Question

My ASP.NET MVC 4 application uses MS-SQL user defined functions to do a fulltext search. I followed this post and created following code:

in Model Class:

if (suchstring.Trim() != "")
{
    //search for each piece separated by space:
    var such = suchstring.Split(' ');
    int index = 0;
    foreach (string teil in such)
    {
         index++;
         if (teil.Trim() != "")
         {
              res = res.Join(db.udf_FirmenSucheMultiple(string.Format("\"{0}*\"", teil), index), l => l.ID, s => s.KEY, (l, s) => l);
         }
    }
}

Mapping function:

[EdmFunction("TQCRMEntities", "udf_AnsprechpartnerFirmaSuche")]
public virtual IQueryable<udf_AnsprechpartnerFirmaSuche_Result> udf_AnsprechpartnerFirmaSucheMultiple(string keywords, int index)
    {
        string param_name = String.Format("k_{0}", index);

        var keywordsParameter = keywords != null ?
            new ObjectParameter(param_name, keywords) :
            new ObjectParameter(param_name, typeof(string));

        return ((IObjectContextAdapter)this).
            ObjectContext.CreateQuery<udf_AnsprechpartnerFirmaSuche_Result>(
            String.Format("[TQCRMEntities].[udf_AnsprechpartnerFirmaSuche](@{0})", param_name), keywordsParameter);
    }

SQL User defined function:

create function udf_AnsprechpartnerFirmaSuche
    (@keywords nvarchar(4000))
returns table
as
return (select [KEY], [rank] from containstable(AnsprechpartnerFirma, *, @keywords,     LANGUAGE 1031))

If I try to search for " I get a 500 Server Error (Syntaxerror from the SQLServer).

My question is if my app is vulnerable to SQL injections and how I should protect against them.

Is it save to just remove * and " from the input?

Answer 1

From http://msdn.microsoft.com/en-us/library/ms189760.aspx

CONTAINSTABLE is used in the FROM clause of a Transact-SQL SELECT statement and is referenced as if it were a regular table name. .It performs a SQL Server full-text search on full-text indexed columns containing character-based data types.

If you read Quassnoi's answer with regard to searching the full-text index for double quotes:

Punctuation is ignored. Therefore, CONTAINS(testing, "computer failure") matches a row with the value, "Where is my computer? Failure to find it would be expensive."

Documentation can be found here .

See his answer for an alternative using the LIKE operator.

To answer your questions:

My question is if my app is vulnerable to SQL injections and how I should protect against them.

You are using parameters properly in your UDF. It should be safe from SQL injection.

Is it save to just remove * and " from the input?

No. Never try to blacklist characters in an attempt to prevent SQL injection. You will almost certainly fail.

See OWASP SQL Injection Prevention for details.