1

In my project I have defined a stored procedure with a example code below:

CREATE PROCEDURE [dbo].[Stored]
    @ParameterA AS varchar(128),
    @ParameterB AS varchar(128),
    @ParameterC AS varchar(400)
AS
BEGIN
    DECLARE @query AS Varchar(MAX)

    SET @query = 'SELECT *
                  FROM Table  
                  WHERE A = '''+ @ParameterA + ''

    IF @ParameterB = 'B'
    BEGIN
        SET @query = @query + ' AND C=''' + @ParameterC + ''
    END 

    EXECUTE sp_executesql @query
END

I call this procedure with Entity Framework through the following code:

DBContext.Database.SqlQuery<Object>("Stored",
new SqlParameter("@p0", Param0),
new SqlParameter("@p1", Param1),
new SqlParameter("@p2", Param2)).ToList();

If I call a stored procedure with the string below, I generate a SQL injection:

Param2 = "ABC' ; DROP TABLE Table2"

How can I prevent this with Entity Framework?

Improve this question
5
  • I suggest you avoiding all form of string concatenation in SQL statements, even inside a stored procedure. Additionally you can sanitize input by filtering words so that those SQL keywords are removed in EF side before executing query. Commented May 29, 2017 at 8:33
  • possibly related Commented May 29, 2017 at 8:33
  • I think you cannot prevent such thing with EF itself. I would consider looking at the bigger picture msdn.microsoft.com/en-us/library/cc716760(v=vs.110).aspx Commented May 29, 2017 at 8:35
  • Why are you using such a stored procedure instead of letting EF generate a secure query ? If Table is mapped to an entity why don't you write an EF query to return it, using different Where() clauses as necessary? Commented May 29, 2017 at 9:04
  • @Marco what are you trying to do? Why not write a simple context.Entities.Where(condition1) or context.Entities.Where(condition2) in LINQ? Or even var query=context.Entities.Where(condition1);query=query.Where(condition2) if you want to add multiple conditions dynamically? Commented May 29, 2017 at 9:09

2 Answers 2

Reset to default
1

You cannot

The underlying SQL procedure is faulty and a security nightmare. There is no way you can repair that on the layer on top of it. You are doing the best you can in EntityFramework, but it's still unsafe. You need to repair the problem (SQL proc) and not apply band aids to the layer using it.

sp_executesql seems to be a good starting point for a procedure that needs to have dynamic SQL and bind parameters.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Thanks for your answer, but I can't rewrite my stored procedure. There is a library to prevent Sql Injections? Can I use a regular Expression to validate input parameter?
@Marco your stored procedure itself is the SQL injection. You'll have to drop it. No amount of hacking (that's what those "sanitization" libraries are) is going to make it secure. Why are you trying to use a stored procedure when you have EF? EF and LINQ already allow you to specify criteria dynamically
@Marco No. You can apply all kind of band aids to make sure your parameters do not contain SQL code, but in the end, that's an arms race. You will always be one step behind and constantly updating.
This is a sample. The real Stored Procedure works with a big dataset and the performance is better than EF query.
Whoever is in charge of that procedure, call it with D'Artagnan as last name and file a bug against his or her bugtracker.
0

you are creating a dynamic query, where you are concatenating parameters. this is causing issue.

do not use dynamic query, or validate parameters (if it contains any keywords or characters)

you can also rewrite your query into IF-ELSE structure on basis of parameters, so you do not need dynamic query.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.