This article is a mirror article of machine translation, please click here to jump to the original article.

Architect_Programmer_Code Agriculture Network»Architect Programming .Net/C # EF 6 executes native SQL statements, parameter injection problems
View: 3928|Reply: 3

[Source] EF 6 executes native SQL statements, parameter injection problems

[Copy link]
Posted on 6/14/2023 9:14:48 PM | | | |
Requirements: The project uses the EF ORM framework to add, delete, modify and check the database, but in the face of complex queries, it may not be possible to use Linq and Lambda for better queries, so we need to use EF 6 to execute native SQL statements for querying.

Raw SQL Query (EF6):The hyperlink login is visible.

Since SQL statements need to carry the where condition, the parameter value is passed through the URL parameter.


First, our SQL statement uses string concatenation to query, as follows:



The code is as follows:

You can see the SQL statements executed by the database as follows:

SELECT Name FROM [Classification] WHERE Name = 'Mobile Development'; select 1; --'

PassThe way SQL statements are spliced is at risk of injection

We modified the code to prevent SQL injection attacks by parameterizing queries, and the code is as follows:



exec sp_executesql N'SELECT Name FROM [Classification] WHERE Name = @n',N'@n nvarchar(17)', @n=N'Mobile Dev''; select 1; --'




Instead of directly using splicing, EF Core converts it into parameterized SQL statements. References are as follows:

EF Core Series (5) executes SQL statements or views, stored procedures
https://www.itsvse.com/thread-9565-1-1.html

(End)





Previous:Insight: I saw a blogger's signature from the blog garden
Next:Use the SQLMAP infiltration tool SQL injection testing

Related Posts
 Landlord| Posted on 6/17/2023 11:11:50 AM |
Test SQL injection testing with the SQLMAP infiltration tool
https://www.itsvse.com/thread-10611-1-1.html
 Landlord| Posted on 6/30/2023 8:47:17 PM |
Shorthand form

 Landlord| Posted on 1/2/2025 12:10:38 PM |
[Actual combat]. NET/C# SQL query generator based on sqlkata
https://www.itsvse.com/thread-10370-1-1.html
Disclaimer:
All software, programming materials or articles published by Code Farmer Network are only for learning and research purposes; The above content shall not be used for commercial or illegal purposes, otherwise, users shall bear all consequences. The information on this site comes from the Internet, and copyright disputes have nothing to do with this site. You must completely delete the above content from your computer within 24 hours of downloading. If you like the program, please support genuine software, purchase registration, and get better genuine services. If there is any infringement, please contact us by email.
Mail To:help@itsvse.com