LINQ to实体和SQL注入
关于L2E是否易受SQL注入影响,我已经看到了几篇相互矛盾的文章.
I've seen a couple of conflicting articles about whether or not L2E is susceptible to SQL injection.
来自 MSDN :
尽管在LINQ to Entities中可以进行查询组合, 它是通过对象模型API执行的.与实体SQL查询不同, LINQ to Entities查询不是通过使用字符串操作组成的 或串联,并且它们不受传统SQL的影响 注射攻击.
Although query composition is possible in LINQ to Entities, it is performed through the object model API. Unlike Entity SQL queries, LINQ to Entities queries are not composed by using string manipulation or concatenation, and they are not susceptible to traditional SQL injection attacks.
这是否意味着可能存在非传统"攻击? 本文有一个非参数化查询的示例-是否可以安全地假设,如果您通过变量传递用户提供的数据,则该参数将被参数化?
Does that imply that there are "non-traditional" attacks that may work? This article has one example of a non-parameterized query - is it safe to assume that if you pass in user-supplied data via a variable it will be parameterized?
如果我这样做:
from foo in ctx.Bar where foo.Field = userSuppliedString select foo;
我安全吗?
在您的示例中,您使用的是变量(userSuppliedString),因此将对其进行参数化.
In your example you're using a variable (userSuppliedString), so it will be parameterized.
如果您的代码中有文字值:
If you had a literal value in your code:
from foo in ctx.Bar where foo.Field == "Hi" select foo;
...然后EF 1不会对其进行参数化,但是由于SQL注入是文字,因此SQL注入的危险也为零.
...then EF 1 won't parameterize it, but there's also zero danger of SQL injection since it's a literal.