1

Is there any risk for use commands like below?

using (var db = new DbConnection())
{
    db.Database.ExecuteSqlCommand("command and maybe @param", new SqlParameter("param", param));
}

I need to use some old type commands for select protected columns and I wonder is there any sql injection risk even for entity framework.

Improve this question

1 Answer 1

Reset to default
1

As long as you're not doing any string concatenation in code OR your sql command, you are safe from SQL Injection.

EDIT

For clarification, it is ok if your parameters are string values. But if your parameter contains SQL you're probably not safe. As far as what I meant by string concatenation in your SQL command, you would likely have to use the SQL command EXEC in order to get it to work and you'd be in trouble.

SAFE:

SELECT * FROM Employees WHERE employeeId = @employeeId

DANGEROUS:

EXEC ('SELECT * FROM Employees WHERE employeeId = ''' + @employeeId + '''')
-OR-
EXEC SP_EXECUTESQL ('SELECT * FROM Employees WHERE employeeId = ''' + @employeeId + '''')
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Even using parameters as string?
@MahmutYaman Firstly, EF would be a bit crap if it had such a HUGE security hole in it. Secondly EF under the covers uses parameterized queries, which is injection safe.
@aron true, but EF does allow the dangerously crafted sql above. using parameters alone doesn't protect you, you need to use them correctly

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.