FromSqlRaw parameter from a List that is safe from sql injection

c# entity-framework-core

Question

I am having an issue where I need to perform a raw query using entity framework core that requires a list of strings as its parameter for a Where IN statement and I can get the query to work, but I am worried about SQL Injection attacks. My query will look something like this:

    public static string BulkGetColumn3Query
    {
        get 
        {
            return @"
                SELECT Column1, Column2
                FROM TABLE
                WHERE  column3 IN ({0})";
        }
    }

The method that calls it as I have it now looks something like this:

    async Task<List<EntityObject>> GetModelObjectByColumn3(List<string> column3Values)
    {
        var column3ValuesString = string.Join(",", column3Values);
        var query = BulkGetColumn3Query.Replace("{0}", column3ValuesString);

        return await DbSetObject
            .FromSqlRaw(query)
            .AsNoTracking()
            .ToListAsync();
    }

What can I do to attempt to mitigate SQL injection attacks?

1
3
1/15/2020 5:42:14 PM

Fastest Entity Framework Extensions

Bulk Insert
Bulk Delete
Bulk Update
Bulk Merge

Accepted Answer

This is most definitely a SQL injection concern, because column3ValuesString ends up being sent to the DB directly.

Replace this with a parameterized query:

string BulkGetColumn3Query(List<string> column3Values) {
    var selectList = string.Join(", ", column3Values.Select((_, i) => $"@p{i}"));
    return $@"SELECT Column1, Column2
            FROM TABLE
            WHERE  column3 IN ({selectList})";
}

async Task<List<EntityObject>> GetModelObjectByColumn3(List<string> column3Values)
{
   var query = BulkGetColumn3Query(column3Values);
   var sqlParameters = new List<SqlParameter>();
   return await Trailers
        .FromSqlRaw(query, column3Values.Select((val, i) => new SqlParameter($"@p{i}", val)))
        .AsNoTracking()
        .ToListAsync();
}

Let's say your list has three items: ["first", "second", "third"]. Then your query string is going to look like this:

SELECT Column1, Column2
FROM TABLE
WHERE column3 IN (@p0, @p1, @p2)

and the parameter list is going to be like this:

[   new SqlParameter("@p0", "first")
,   new SqlParameter("@p1", "second")
,   new SqlParameter("@p2", "third")]

Since all values are sent as parameters, the query is now safe.

2
1/15/2020 5:39:20 PM

Related Questions

ASP.NET Core Dependency Injection, inject with parameters

As documentation states ...here... (Scroll a bit down) you should register the ...IStateService... and ...BloggingContext... like:...services.AddDbContext<BloggingContext>(); services.AddScoped<IStateService, StateService>(); ...Then DI will resolve the whole dependency tree for you. Note that you should use scoped lifetime on service, because the ...
asp.net-core c# dependency-injection entity-framework-core visual-studio-2015
asked by mollwe

I am having trouble creating DB in SQL Server Express with Entity Framework Core 2.0

I needed to run:...Update-Database ...I went through this last year: ...Why is dotnet ef not able to create a database against SQL Server Express?...It seems I never learn.
entity-framework-core sql-server-express
asked by Sam

Is it possible to perform a SQL Injection on a application that uses Entity Framework?

Heed this:...It is quite easily possible if the developer uses EF as a wrapper around ADO.NET and uses FromSQL. Of course, this is not the intended nor normal use of EF, but I have seen it – Camilo Terevinto...REF: ...Raw SQL Queries...Additionally, while not really "sql injection", since one of the goals of such is to somewhat alter your dat...
c# entity-framework entity-framework-6 sql-injection
asked by EdSF

VS Solution Explorer Analyzers exclamation: ef1000 "possible sql injection vulnerability"

Strange message in Solution Explorer....ef1000 "possible sql injection vulnerability" ...It doesn't prevent compile, no errors, no warnings, no messages in "Errors List"....No similar messages in the output on compile... Click doesn't move focus to "vulnerability" line. No referenced file/line related information....But there is context menu with "...
entity-framework-core entity-framework-core-2.1 visual-studio visual-studio-2017
asked by Roman Pokrovskij

EF1000: Possible SQL injection vulnerability

I have a dotnet core class library. And after adding ...Microsoft.EntityFrameworkCore.SqlServer... package to project, this ...Analyzers... warning showed up:...I have only one single simple entity and a ...DbContext... in project and nothing more. Do you have any idea what is the error about and how to fix it?...I'm using ...VS 2017 Version 15.8.8...
.net-core .net-core-2.1 ef-core-2.1 entity-framework-core entity-framework-core-2.1
asked by ravy amiry

Adding connection string to DBContext (NpgSQL, Dependency Injection, .NET Core)

EF Core has two ways for initializing a DbContext - via dependency injection or without it. You're using dependency injection, so your DbContext needs to provide a constructor that accepts ...DbContextOptions<TContext>... (...see this doc link..., as @ivan-stoev wrote above)....A constructor accepting a string is only used outside of dependency inj...
asp.net-core c# entity-framework-core npgsql
asked by Shay Rojansky

How can I avoid SQL injection in this EF Core query?

Since EF Core 2.0, you can use a FormattableString, where you can use string interpolation for queries....String interpolation in FromSql and ExecuteSqlCommand... FormattableString Class ...In EF Core 2.0 we added special support for interpolated strings to our two primary APIs that accept raw SQL strings: ...FromSql... and ...ExecuteSqlCommand....
c# entity-framework-core
asked by kapsiR

FromSql(): Query string building from string list to prevent injection

You're code should be good enough with a bit of modification:...var query = String.Format("SELECT ... where 1=1 "); for (int i = 0; i < searchTerm.Count(); i++) { query += $" and MySqlField like '%'+{{{i}}}+'%'"; } var results = context.MySqlTable.FromSql(query, searchTerm.ToArray());
.net-core c# entity-framework-core sql-injection sql-server
asked by alans

Refreshing Azure Active Directory access token in ASP.NET Core with dependency injection for SQL Database

For your issue, it is caused by that you passing the ...dbConnection... to ...AlpinehutsDbContext.... When initiailizing ...AlpinehutsDbContext..., it will always use the ...dbConnection.... And then, if the connection is invalid, it will throw error. ...You could try to initialize ...dbConnection... when initializing ...AlpinehutsDbContext... li...
asp.net-core azure azure-sql-database c# entity-framework-core
asked by Edward

ASP.NET Core - Repository dependency injection fails on Singleton injection

Simply put, your go-to lifetime should be "scoped". You should only use a singleton or transient lifetime if you have a ...good... reason to do so. For a singleton, that's stuff like managing locks or holding data that needs to persist for the lifetime of the application, neither of which applies to the concept of a repository. Repositories should ...
asp.net-core asp.net-core-mvc c# dependency-injection entity-framework-core
asked by Chris Pratt

Fastest Entity Framework Extensions

Bulk Insert
Bulk Delete
Bulk Update
Bulk Merge
View more on Stack Overflow

Prime Library

Performance

Expression Evaluator

More Projects...

Related

Licensed under: CC-BY-SA with attribution
Not affiliated with Stack Overflow
Licensed under: CC-BY-SA with attribution
Not affiliated with Stack Overflow