Back to list
Views:   4.9K
Replies:  1
Archived

Preventing SQL Injection on the Paged method of the Entity class

The Paged Helper method in Entity<T> class inside Core.cs is vulnerable to sql injection and you have used this method in several places inside your Spark application. What is your suggestion on preventing sql injection against this method? Checking and validating the "where" prior passing it to the method and blacklisting?


http://www.dofactory.com/topic/1869/prevent-sql-injection-in-spark-4-5-core-cs-line-312.aspx


Kind regards,


Jack Parker, Jul 08, 2014
Reply 1
Indeed, as a developer you should never take any user input and place it verbatim into the 'where' string. 

Instead you construct your where clause with ordinal parameters (@0, @1, etc) .
Then pass the actual parameter values into the parameter list of the Paged and other methods.
(this is why there is a separate parameter list in the first place).

Hope this helps.

Jack Poorte, Jul 08, 2014


Stay Inspired!
Join other developers and designers who have already signed up for our mailing list.
Terms     Privacy     Licensing       EULA       Sitemap      
© Data & Object Factory, LLC.
Made with    in Austin, Texas