0

Has MVC.Net any system to prevent SQL injection attack or I should check it manually in my code?

Siamak Ferdos
  • 3,181
  • 5
  • 29
  • 56
  • SQL injection is usually handled at the ORM layer of the app. Most modern ORMs provide default protection from SQL injection (usually via parameterized queries or stored procedures). You should not try to roll your own query text-searching solution, if possible; it is fraught with edge cases. – Special Sauce Jun 08 '15 at 05:52
  • I have my own `ORM`. My question is this that I should check injection at my `ORM` or `MVC` itself has some system like validation on `razor` or `controller` level that prevent injection? – Siamak Ferdos Jun 08 '15 at 05:58
  • The below query is very similar to this one, http://stackoverflow.com/questions/9079400/control-sql-injection-in-mvc – Viswas Menon Jun 08 '15 at 05:58
  • I don't believe MVC has any native support for SQL injection protection (and it shouldn't as it is well outside MVC's expected scope). MVC does have a mechanism for script injection protection, but that is a separate issue. Does your ORM create a SQL statement by concatenating string values obtained from web page postbacks or query strings? – Special Sauce Jun 08 '15 at 06:01
  • I have thought `Sql Injection` can be validate on view level. So May be `MVC.Net` that created some validation for inputs, has something like validation for injections too. In my `ORM` main methods work with `SP` but some of them create string query. – Siamak Ferdos Jun 08 '15 at 06:06
  • @viswas menon: But they discuss about some `ORM` not `MVC.NET` – Siamak Ferdos Jun 08 '15 at 06:08
  • @Siamik Ferdos For preventing other attacks like XSS .. MVC does have@Html.AntiForgeryToken..if what you want is the control itself to validate whether the user is trying to inject SQL , Then it will be better to override and write a html helper of your own which will implement this validation – Viswas Menon Jun 08 '15 at 06:19

3 Answers3

0

This is independant of the frontend, means to prevent this depend on the language you use and the features of your database connection.

Normally you simply use stored procedures to circumvent injection attacks

See here for an example.

Community
  • 1
  • 1
Marged
  • 10,577
  • 10
  • 57
  • 99
  • I have my own `ORM`. My question is this that I should check injection at my `ORM` or `MVC` itself has some system like validation on `razor` or `controller` level that prevent injection? I use `C#` and `Razor`. – Siamak Ferdos Jun 08 '15 at 06:00
  • @SiamakFerdos You should state this in your question, because this makes a difference and has an influence on what people will answer. Perhaps it is also a good idea to ask two questions (does mvc offer such a feature / does razor offer such a feature) in your post or ask a new question with focus on razor. Perhaps this is of interest: http://www.troyhunt.com/2012/12/stored-procedures-and-orms-wont-save.html – Marged Jun 08 '15 at 09:36
0

Has MVC.Net any system to prevent SQL injection attack

No, because this is outside the scope of 'MVC'.

MVC deals with the front-end, while SQL injection attacks occur at the back-end. MVC does not know how you are persisting your data, eg Entity-Framework, nHibernate, ADO directly or your own ORM.

should I check in my own code

from the comments, this appears to mean: should I check in my own ORM.

Yes. Always. Regardless of what you are using as a front-end, your own ORM should check (or, more specifically, not allow by design) SQL injection attacks.

This leads to the question:

can MVC check for this

Yes - you can write a custom validator attribute to apply to your poco properties to check for some potential SQL injection attacks.

I say earlier, "not allow by design" because there is no way you will be able to check for 100% of all possible current and future SQL injection methods for all of the DB engines that your ORM handles.

You'll also need to consider that 'attacks' will be different per DB engine (Oracle, TSQL, nosql), so any UI check will need to be aware of the DB engine currently in use.

freedomn-m
  • 27,664
  • 8
  • 35
  • 57
0

Has MVC.Net any system to prevent SQL injection attack?

No, it does not. MVC is completely unaware of SQL servers. It is not its area of responsibility.

I should check it manually in my code?

No. Absolutely not. If you rely on a string check to see if the user's input is intended to create an SQL injection, you will get it wrong. Even if you eventually get it right (at which point your validation code might get really long and complicated), all this effort will be in vain because you never needed to do it in the first place.

What you should do is always use parameters in your queries and never construct an SQL statement via string concatenation. If you are using a sane ORM framework, it will do that for you.

This advice does not change with or without the use of ASP.NET MVC.

GSerg
  • 76,472
  • 17
  • 159
  • 346