OData takes care of SQL injection

Question

OData takes care of SQL injection

Suppose I have a database full of health records and an ASP.NET MVC application. Suppose someone uses the URL / api / medicalRecords? $ Filter = id gt 0 to invoke the Ajax request. It seems to me that it is open for SQL injection - just like 10-15 years ago ...

Does this mean that this is the standard version for SQL injection or is it server dependent (I use IQueryable result and framework 4 entity)?

I know that an authentication mechanism is necessary - but for the sake of this question, suppose the authentication mechanism is not available ...

+6

c # linq odata asp.net-mvc ado.net

lionheart Dec 01 '12 at 13:34

source share

2 answers

WCF data services will parameterize the values from your filter, which eliminates the possibility of SQL injection.

I would recommend looking at the actual SQL queries executed in the database profiler.

+3

M.Babcock Dec 01 '12 at 13:37

source share

Radim Köhler · Accepted Answer · 2012-12-01T13:42:41+0000

Try reading this blog post for very detailed information on OData and SQL Injection:

http://kscottmorrison.com/tag/sql-injection/

... OData, of course, is a data source connection, so injection is not a problem - just grab it first. And which is critically important, since OData is strictly managing this connection is capable ...

OData takes care of SQL injection

More articles: