4

Do Entity Framework functions automatically escape input to protect against injection?

In my SQL DB layer, I have a SPROC that takes an nvarchar(max) as input. In my EDMX, the SPROC is mapped to a function import as methodName(string input) Do I need to manually escape the input to protect against injection or does Entity Framework do this automatically?

Improve this question

2 Answers 2

Reset to default
4

Depends...

EF does escape inputs for you so you are safe in most cases.

But if you create dynamic SQL inside the procedure with the inputs or calling another function or procedure with the inputs, you are still subject to SQL Injection attack.

To prevent SQL Injection, one has to follow to the last part of execution path and make sure the inputs are validated.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

What do you mean by "not auto escape inputs"? I can surely call a mapped sproc using any parameters at all and I will not suffer SQL injection.
Agree that's what my last sentance said.
The answer is completely wrong, EF sends this input as a Command Parameter which is safe against SQL Injection and Command parameter s are escaped by underlying SQL driver.
@AkashKava, Thank you for pointing that out. I have updated my answer with references.
2

Simply by virtue of using a stored procedure you should not need to escape the input unless you are building dynamic SQL in your stored procedure that will later be executed.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.