0

I have this controller method below:

[HttpPost]
public ActionResult Login(UserDetails userdetails)

What did I do so far ?

  1. Replaced potential SQL Candidates in my form (via JQuery side , eg. replace '&' by 'amp')
  2. I have added ModelState.IsValid() in ServerSide to check.

Are these two checks enough or How should I make sure that userDetails.UserName is free from Injected SQL ? (Like 1=1 SQL Injection attacks)

Improve this question
4
  • You also need to use parameterized query. Commented Sep 7, 2018 at 19:52
  • @Win: can you please elaborate or provide a link ? Commented Sep 7, 2018 at 19:56
  • How do you plan to access database - ADO.NET or ORM like EF or Dapper? Commented Sep 7, 2018 at 20:52
  • it is generally recommended to not try these on your own. Just let the frameworks built for this, to do this for you. These are built for years do perform these tasks. Commented Sep 8, 2018 at 0:09

1 Answer 1

Reset to default
1

Using Entity Framework, Dapper or regular parameterized query should be sufficient enough.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I'm already using Entity framework. Does it mean, EF is free from SQL Injection Attacks altogether ?
Yes if you are using parameterized queries or LINQ. Although query composition is possible in LINQ to Entities, it is performed through the object model API. Unlike Entity SQL queries, LINQ to Entities queries are not composed by using string manipulation or concatenation, and they are not susceptible to traditional SQL injection attacks. (ref :learn.microsoft.com/en-us/dotnet/framework/data/adonet/ef/…)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.