本文介绍了LINQ to实体和SQL注入的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

关于L2E是否易受SQL注入影响,我已经看到了几篇相互矛盾的文章.

I've seen a couple of conflicting articles about whether or not L2E is susceptible to SQL injection.

来自 MSDN :

这是否意味着可能存在非传统"攻击? 本文有一个非参数化查询的示例-是否可以安全地假设,如果您通过变量传递用户提供的数据,则该参数将被参数化?

Does that imply that there are "non-traditional" attacks that may work? This article has one example of a non-parameterized query - is it safe to assume that if you pass in user-supplied data via a variable it will be parameterized?

如果我这样做:

from foo in ctx.Bar where foo.Field = userSuppliedString select foo;

我安全吗?

推荐答案

在您的示例中,您使用的是变量(userSuppliedString),因此将对其进行参数化.

In your example you're using a variable (userSuppliedString), so it will be parameterized.

如果您的代码中有文字值:

If you had a literal value in your code:

from foo in ctx.Bar where foo.Field == "Hi" select foo;

...然后EF 1不会对其进行参数化,但是由于SQL注入是文字,因此SQL注入的危险也为零.

...then EF 1 won't parameterize it, but there's also zero danger of SQL injection since it's a literal.

这篇关于LINQ to实体和SQL注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-30 06:13