Do Entity Framework devices automatically exit input to protect against injection?

Question

Do Entity Framework devices automatically exit input to protect against injection?

Entity Framework functions automatically exit input to protect against injection?

In my SQL DB level, I have a SPROC that accepts nvarchar(max) input. In my EDMX, SPROC maps to importing a function like methodName(string input) Do I need to manually avoid input to protect against injection, or does the Entity Framework do it automatically?

+4

c # sql-injection .net entity-framework edmx

Matt Jun 19 '12 at 18:50

source share

2 answers

Just as a result of using a stored procedure, you will not need to avoid input unless you create dynamic SQL in your stored procedure, which will be executed later.

+2

Justin helgerson Jun 19 '12 at 18:58

source share

Ray cheng · Accepted Answer · 2012-06-19T20:06:43+0000

Depending on ...

EF allows you to avoid logging in for you to be safe in most cases.

But if you create dynamic SQL inside a procedure with inputs or call another function or procedure with inputs, you are still exposed to SQL Injection attack.

To prevent SQL Injection, you need to follow the last part of the execution path and make sure the inputs are verified.

Do Entity Framework devices automatically exit input to protect against injection?

More articles: