问题描述
关于L2E是否易受SQL注入影响,我已经看到了几篇相互矛盾的文章.
I've seen a couple of conflicting articles about whether or not L2E is susceptible to SQL injection.
来自 MSDN :
这是否意味着可能存在非传统"攻击? 本文有一个非参数化查询的示例-是否可以安全地假设,如果您通过变量传递用户提供的数据,则该参数将被参数化?
Does that imply that there are "non-traditional" attacks that may work? This article has one example of a non-parameterized query - is it safe to assume that if you pass in user-supplied data via a variable it will be parameterized?
如果我这样做:
from foo in ctx.Bar where foo.Field = userSuppliedString select foo;
我安全吗?
推荐答案
在您的示例中,您使用的是变量(userSuppliedString
),因此将对其进行参数化.
In your example you're using a variable (userSuppliedString
), so it will be parameterized.
如果您的代码中有文字值:
If you had a literal value in your code:
from foo in ctx.Bar where foo.Field == "Hi" select foo;
...然后EF 1不会对其进行参数化,但是由于SQL注入是文字,因此SQL注入的危险也为零.
...then EF 1 won't parameterize it, but there's also zero danger of SQL injection since it's a literal.
这篇关于LINQ to实体和SQL注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!