Prevent harmful call to database on string

Question

Say I have this class:

public class MyObject
{
    public string Name { get;set;}
}

When making db calls to see if there's any items with a name, I do this:

public List<MyObject> ListObjectsByName(string _myObject)
{
    var objectQry = from object in db.MyObject
            where object.Name == _myObject
            select object;

    if(!objectQry.Any())
    {
        return null;
    }

    return objectQry.ToList();
}

I would like to block any harmful attempt to my database by parsing the _myObject string, so that if a clown tries to get all *DELETE MyObjects, my app won't crash. I'm using MVC 4. Is there any way to do that?

You should probably have tested to see if this was even a problem before posting this question in the first place. 2cent> — Tombala, Jul 02 '13 at 19:48
Well, it's not that I did not tested it out, rather I felt like I wanted to prevent any damage. I'm new to using Entity Framework. — hsim, Jul 02 '13 at 19:49

score 6 · Answer 1 · answered Jul 02 '13 at 19:47

6

This is not a problem. Entity Framework doesn't just throw the string into the middle of the query. It doesn't matter what's in the string. There will be no SQL Injection Attack.

Try it yourself and see.

answered Jul 02 '13 at 19:47

John Saunders

160,644
26
247
397

In a way, you are right. I did manage to save my item under *DELETE name. Thanks! – hsim Jul 02 '13 at 19:48
In what way am I _not_ right? – John Saunders Jul 02 '13 at 22:07

score 3 · Answer 2 · edited May 23 '17 at 11:56

3

LINQ prevents SQL Injection (what you are trying to prevent). This question should answer all of your questions: Will using LINQ to SQL help prevent SQL injection

edited May 23 '17 at 11:56

Community

1
1

answered Jul 02 '13 at 19:47

dparsons

2,812
5
28
44

Oh, I will make sure to read that! Thanks! – hsim Jul 02 '13 at 19:48

Prevent harmful call to database on string

2 Answers2