问题
It's my first time developing using MVC and I want to make it secure.
When I use HtmlEncode it converts the String to the equivalent HTML String.
The user can enter in the search for example ali' or ali-- and they exist in my database. How to control my search and login from SQL injection please?
Also any tutorial or best practice to prevent script injection?
回答1:
LINQ and Entity Framework already check for SQL Injection for you.
But you should read the documentation anyhow:
LINQ MSDN Link (section SQL-Injection Attacks)
Entity Framework MSDN Link (section Security Considerations for Queries)
Hope it helps!
回答2:
As long as you use parameterized queries or a ORM like NHibernate or Entity Framework you don't have to do anything to prevent SQL injection. Parameters are passed to the server outside the actual SQL statement, as part of the RPC call to the server. Most ORMs use parameterized queries for performance reasones, so they are not vulnerable to SQL injection.
SQL Injection is possible only if you create a SQL statement by concatenating string values.
That said, you still have to be wary of user input to prevent script injection attacks. Fortunately, ASP.NET MVC already provides a request validation mechanism (see Understanding Request Validation).
回答3:
If you use LINQ to perform your database queries, it eliminates that kind of SQL injection risks for you.
来源:https://stackoverflow.com/questions/9079400/control-sql-injection-in-mvc