is posible to inject sql into entity framework with this syntax?

Question

0.00/5 (No votes)

See more:

, +

C#

Model.DBEntities db = new Model.DBEntities();
if (db.Users.Any(q => q.UserName == txtUserName.Text && q.Password == MD5Password))
{
 Model.User User = db.Users.First(q => q.UserName == txtUserName.Text && q.Password == MD5Password);
}

Posted 26-Apr-15 9:38am

MohsenGolmehr

Add a Solution

3 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Sascha Lefèvre · Accepted Answer · 2015-04-26T09:53:00

Solution 1

No, it's not possible. Entity Framework will put your strings into Sql-Parameters in order to execute the query so the entered text can't become part of/modify the Sql-Statement itself.

Posted 26-Apr-15 9:53am

Sascha Lefèvre

Updated 26-Apr-15 9:58am

v2

Comments

Maciej Los 26-Apr-15 16:28pm

4! Please, read answer ;)

Sascha Lefèvre 26-Apr-15 16:58pm

He asked specifically about "that syntax" ;-) But it's alright! I agree that I should have mentioned it anyway. Thank you, Maciej :)

Maciej Los 27-Apr-15 1:34am

"That syntax" - it changes everything. Upvoted!

Sascha Lefèvre 27-Apr-15 5:34am

;-)

Maciej Los · Accepted Answer · 2015-04-26T10:24:00

Solution 2

Sascha is right ~~in 75%, becasue SQL injection is possible even using Entity, especially when Entity SQL is used.~~. Linq to Entities is completlty safe about sql injection. Note, that there is few other rules you need to respect. Please see: Security Considerations (Entity Framework)[^]

Posted 26-Apr-15 10:24am

Maciej Los

Updated 26-Apr-15 19:35pm

v3

Comments

Sascha Lefèvre 26-Apr-15 16:58pm

5 for you!

Dave Kreskowiak · Accepted Answer · 2015-04-26T12:03:00

Solution 3

No, it's not possible, but it is also not an excuse to be lazy and not validate and sanitize your inputs anyway.

Posted 26-Apr-15 12:03pm

Dave Kreskowiak