12

It's my first time developing using MVC and I want to make it secure.

When I use HtmlEncode it converts the String to the equivalent HTML String.

The user can enter in the search for example ali' or ali-- and they exist in my database. How to control my search and login from SQL injection please?

Also any tutorial or best practice to prevent script injection?

Improve this question
5
  • how do you access your database? LINQ ? Entity Framework? Commented Jan 31, 2012 at 12:22
  • I use the normal one , which you prefer LINQ or Entity framework Commented Jan 31, 2012 at 12:23
  • 1
    Check out this SO link.... Both will check for sql injection for you.... Commented Jan 31, 2012 at 12:26
  • 1
    thanks what about script injection please Commented Jan 31, 2012 at 12:29
  • Please improve by mentioning how you access your database. Commented Apr 15, 2013 at 15:13

3 Answers 3

Reset to default
19

LINQ and Entity Framework already check for SQL Injection for you.

But you should read the documentation anyhow:

LINQ MSDN Link (section SQL-Injection Attacks)

Entity Framework MSDN Link (section Security Considerations for Queries)

Hope it helps!

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

@AMH I believe that should be another question, but this link could be helpful: asp tutorials
which you prefer please LINQ or EF
In my particular case I prefer EF, but I don't know what are you trying to build... Actually I made my decision reading this
I have one database that contains my website, and will connect, add, delete from it
let us continue this discussion in chat
9

As long as you use parameterized queries or a ORM like NHibernate or Entity Framework you don't have to do anything to prevent SQL injection. Parameters are passed to the server outside the actual SQL statement, as part of the RPC call to the server. Most ORMs use parameterized queries for performance reasones, so they are not vulnerable to SQL injection.

SQL Injection is possible only if you create a SQL statement by concatenating string values.

That said, you still have to be wary of user input to prevent script injection attacks. Fortunately, ASP.NET MVC already provides a request validation mechanism (see Understanding Request Validation).

Improve this answer

2 Comments

but I tired to drop database I know by passing values by parameters
No matter what you pass to the parameter (and by parameter I meand a DbParameter-derived object like SqlParameter (msdn.microsoft.com/en-us/library/…), it will be passed to the server as a simple string. It is never executed. You can still get into trouble if you use the stored value to construct a SQL statement by string concatenation in some other part of your application.
4

If you use LINQ to perform your database queries, it eliminates that kind of SQL injection risks for you.

Improve this answer

1 Comment

thanks does it support ROM databases , what about script injection please

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.