20

I'm building up an IQueryable where I am applying relevant filters, and I come across this line of code here.

items = items.OrderBy(string.Format("{0} {1}", sortBy, sortDirection));

Is this snippet vulnerable to SQL injection? Or are these (string) parameters parameterized behind the scenes? I assumed that all Linq queries were escaped and parameterized for me, but the fact that I am able to pass in a string directly like this is throwing me off.

Improve this question
3
  • 1
    Does that statement work for you? Do you have a static extension method implementing it? I'm not familiar with OrderBy not taking a lamba expression. Commented Sep 7, 2016 at 0:15
  • 1
    This extension was located in the System.Linq.Dynamic namespace. with a method signature static IQueryable<T> OrderBy<T>(this IQueryable<T> source, string ordering, params object[] values). Commented Sep 7, 2016 at 0:20
  • 1
    Looks like System.Linq.Dynamic is an open-source project hosted on CodePlex. The source code is at dynamiclinq.codeplex.com/SourceControl/latest#DynamicLinq/…. From what I can see they are taking the string data and using it to modify the expression tree so, no, it's not vulnerable to SQL injection. Commented Sep 7, 2016 at 0:33

1 Answer 1

Reset to default
35

First Point :

You have to avoid returning IQueryable<T> types from methods that are exposed to potentially untrusted callers for the following reasons:

  • A consumer of a query that exposes an IQueryable<T> type could call methods on the result that expose secure data or increase the size of the result set. For example, consider the following method signature:

    public IQueryable<Customer> GetCustomer(int customerId)

A consumer of this query could call .Include("Orders") on the returned IQueryable<Customer> to retrieve data that the query did not intend to expose. This can be avoided by changing the return type of the method to IEnumerable<T> and calling a method (such as .ToList()) that materializes the results.

  • Because IQueryable<T> queries are executed when the results are iterated over, a consumer of a query that exposes an IQueryable<T> type could catch exceptions that are thrown. Exceptions could contain information not intended for the consumer.

Second Point :

How to prevent SQL injection attacks ?

  • Entity SQL injection attacks:

SQL injection attacks can be performed in Entity SQL by supplying malicious input to values that are used in a query predicate and in parameter names.

To avoid the risk of SQL injection

you should never combine user input with Entity SQL command text

Entity SQL queries accept parameters everywhere that literals are accepted. You should use parameterized queries instead of injecting literals from an external agent directly into the query. You should also consider using query builder methods to safely construct Entity SQL.

  • LINQ to Entities injection attacks:

Although query composition is possible in LINQ to Entities, it is performed through the object model API. Unlike Entity SQL queries, LINQ to Entities queries are not composed by using string manipulation or concatenation, and they are not susceptible to traditional SQL injection attacks.

Reference : Security Considerations (Entity Framework)

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.