0

Has MVC.Net any system to prevent SQL injection attack or I should check it manually in my code?

Improve this question
7
  • SQL injection is usually handled at the ORM layer of the app. Most modern ORMs provide default protection from SQL injection (usually via parameterized queries or stored procedures). You should not try to roll your own query text-searching solution, if possible; it is fraught with edge cases. Commented Jun 8, 2015 at 5:52
  • I have my own ORM. My question is this that I should check injection at my ORM or MVC itself has some system like validation on razor or controller level that prevent injection? Commented Jun 8, 2015 at 5:58
  • The below query is very similar to this one, stackoverflow.com/questions/9079400/… Commented Jun 8, 2015 at 5:58
  • I don't believe MVC has any native support for SQL injection protection (and it shouldn't as it is well outside MVC's expected scope). MVC does have a mechanism for script injection protection, but that is a separate issue. Does your ORM create a SQL statement by concatenating string values obtained from web page postbacks or query strings? Commented Jun 8, 2015 at 6:01
  • I have thought Sql Injection can be validate on view level. So May be MVC.Net that created some validation for inputs, has something like validation for injections too. In my ORM main methods work with SP but some of them create string query. Commented Jun 8, 2015 at 6:06

3 Answers 3

Reset to default
0

This is independant of the frontend, means to prevent this depend on the language you use and the features of your database connection.

Normally you simply use stored procedures to circumvent injection attacks

See here for an example.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I have my own ORM. My question is this that I should check injection at my ORM or MVC itself has some system like validation on razor or controller level that prevent injection? I use C# and Razor.
@SiamakFerdos You should state this in your question, because this makes a difference and has an influence on what people will answer. Perhaps it is also a good idea to ask two questions (does mvc offer such a feature / does razor offer such a feature) in your post or ask a new question with focus on razor. Perhaps this is of interest: troyhunt.com/2012/12/stored-procedures-and-orms-wont-save.html
0

Has MVC.Net any system to prevent SQL injection attack

No, because this is outside the scope of 'MVC'.

MVC deals with the front-end, while SQL injection attacks occur at the back-end. MVC does not know how you are persisting your data, eg Entity-Framework, nHibernate, ADO directly or your own ORM.

should I check in my own code

from the comments, this appears to mean: should I check in my own ORM.

Yes. Always. Regardless of what you are using as a front-end, your own ORM should check (or, more specifically, not allow by design) SQL injection attacks.

This leads to the question:

can MVC check for this

Yes - you can write a custom validator attribute to apply to your poco properties to check for some potential SQL injection attacks.

I say earlier, "not allow by design" because there is no way you will be able to check for 100% of all possible current and future SQL injection methods for all of the DB engines that your ORM handles.

You'll also need to consider that 'attacks' will be different per DB engine (Oracle, TSQL, nosql), so any UI check will need to be aware of the DB engine currently in use.

Improve this answer

Comments

0

Has MVC.Net any system to prevent SQL injection attack?

No, it does not. MVC is completely unaware of SQL servers. It is not its area of responsibility.

I should check it manually in my code?

No. Absolutely not. If you rely on a string check to see if the user's input is intended to create an SQL injection, you will get it wrong. Even if you eventually get it right (at which point your validation code might get really long and complicated), all this effort will be in vain because you never needed to do it in the first place.

What you should do is always use parameters in your queries and never construct an SQL statement via string concatenation. If you are using a sane ORM framework, it will do that for you.

This advice does not change with or without the use of ASP.NET MVC.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.