Home  /  Questions  /  Question



50   50
Jul 08, 2014


Preventing SQL Injection on the Paged method of the Entity class

The Paged Helper method in Entity<T> class inside Core.cs is vulnerable to sql injection and you have used this method in several places inside your Spark application. What is your suggestion on preventing sql injection against this method? Checking and validating the "where" prior passing it to the method and blacklisting?


http://www.dofactory.com/topic/1869/prevent-sql-injection-in-spark-4-5-core-cs-line-312.aspx


Kind regards,





508   99.9
Jul 08, 2014
Indeed, as a developer you should never take any user input and place it verbatim into the 'where' string. 

Instead you construct your where clause with ordinal parameters (@0, @1, etc) .
Then pass the actual parameter values into the parameter list of the Paged and other methods.
(this is why there is a separate parameter list in the first place).

Hope this helps.