问题
I execute a string query using EF 4:
string query = "SELECT * FROM Table WHERE ....";
[+ build WHERE clausule based on the user's input values]
db.ExecuteStoreQuery<TAble>(query).ToList();
I'm wondering how to prevent that query from SQL Injection in taht WHERE clausule. Any ideas ?
回答1:
You need to use a parameterized query:
// Build where clause
var filters = new StringBuilder();
var parameters = new List<object>();
if (!string.IsNullOrEmpty(name))
{
if (filters.Length > 0)
filters.Append(" AND ");
filters.Append("name = @name");
var param = new SqlParameter("@name", SqlDbType.NVarChar);
param.Value = name;
parameters.Add(param);
}
...
// Build query
string query = "SELECT * FROM Table";
if (filters.Length > 0)
query = query + " WHERE " + filters;
// Execute
db.ExecuteStoreQuery<TAble>(query, parameters.ToArray()).ToList();
回答2:
You will prevent it in the same way as you did when building SqlCommand. You will make the query parametrized and you will past collection of parameters as the second argument into ExecuteStoreQuery method (if you pass only values EF will make parameters for you but you must pass them in correct order as present in the query).
来源:https://stackoverflow.com/questions/9297903/entity-framework-and-the-raw-string-query-sql-injection-prevention