Can Entity Framework be hacked?
Is it possible to perform a SQL Injection on a application that uses EF?
If so, can someone please provide a full example of how that might be done? I couldn't find any specific to EF in C#.
Heed this:
It is quite easily possible if the developer uses EF as a wrapper around ADO.NET and uses FromSQL. Of course, this is not the intended nor normal use of EF, but I have seen it – Camilo Terevinto
REF: Raw SQL Queries
Additionally, while not really "sql injection", since one of the goals of such is to somewhat alter your data by altering your raw sql to produce some unintended result, you should also be aware of ASP.NET - Overposting/Mass Assignment Model Binding Security
Sample taken straight from link:
You model/class:
public class Person
{
public int ID { get; set; }
public string First { get; set; }
public string Last { get; set; }
public bool IsAdmin { get; set; }
}
Somewhere in your Controller
:
[HttpPost]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Create(Person person)
{
if (ModelState.IsValid)
{
_context.Add(person);
await _context.SaveChangesAsync();
return RedirectToAction("Index");
}
return View(person);
}
If a theoretical EvilUser found out that Person had an "IsAdmin" property, they could "overpost" and add a field to the HTTP POST and set
IsAdmin=true
. There's nothing in the code here to prevent that.
So "evil user" doesn't even need to figure out sql injection
to do some unintended result. Read up on the article on ways to prevent it (e.g. BindAttribute
, View Models).
Hth.
Depends on of the use of it. If you use LINQ yes, it´s safe against SQL INJECTION because it passes all data to the database via SQL parameters. LINQ queries are not composed by using string manipulation or concatenation, that's why they are not susceptible to traditional SQL injection attacks.