Control SQL injection in MVC

Question

It\'s my first time developing using MVC and I want to make it secure.

When I use HtmlEncode it converts the String to the equivalent HTML String.

The user c

Answer 1

As long as you use parameterized queries or a ORM like NHibernate or Entity Framework you don't have to do anything to prevent SQL injection. Parameters are passed to the server outside the actual SQL statement, as part of the RPC call to the server. Most ORMs use parameterized queries for performance reasones, so they are not vulnerable to SQL injection.

SQL Injection is possible only if you create a SQL statement by concatenating string values.

That said, you still have to be wary of user input to prevent script injection attacks. Fortunately, ASP.NET MVC already provides a request validation mechanism (see Understanding Request Validation).

Answer 2

If you use LINQ to perform your database queries, it eliminates that kind of SQL injection risks for you.

Answer 3

LINQ and Entity Framework already check for SQL Injection for you.

But you should read the documentation anyhow:

LINQ MSDN Link (section SQL-Injection Attacks)

Entity Framework MSDN Link (section Security Considerations for Queries)

Hope it helps!