Dofactory.com
Dofactory.com
 Back to list
Views:   4.9K
Replies:  1
Archived

Preventing SQL Injection on the Paged method of the Entity class

The Paged Helper method in Entity<T> class inside Core.cs is vulnerable to sql injection and you have used this method in several places inside your Spark application. What is your suggestion on preventing sql injection against this method? Checking and validating the "where" prior passing it to the method and blacklisting?


http://www.dofactory.com/topic/1869/prevent-sql-injection-in-spark-4-5-core-cs-line-312.aspx


Kind regards,


Jack Parker, Jul 08, 2014
Reply 1
Indeed, as a developer you should never take any user input and place it verbatim into the 'where' string. 

Instead you construct your where clause with ordinal parameters (@0, @1, etc) .
Then pass the actual parameter values into the parameter list of the Paged and other methods.
(this is why there is a separate parameter list in the first place).

Hope this helps.

Jack Poorte, Jul 08, 2014
Stay Inspired!
Join other developers and designers who have already signed up for our mailing list.
Terms     Privacy     Cookies       Do Not Sell       Licensing      
Made with    in Austin, Texas.  - vsn 44.0.0
© Data & Object Factory, LLC.