I've noticed that when using Contains in EF
.Where(i => myListOfStrings.Contains(i.Value))
The generated SQL looks like this
IN ('Value1', 'Value2')
Since the values are not parameterized, isn't it possible to inject some SQL?
Asked
Active
Viewed 937 times
7
gsharp
- 27,557
- 22
- 88
- 134
-
Where are you viewing the generated SQL from? Profiler? I would assume EF is doing the relevant string encoding of the values before passing the query on. – Murray Foxcroft Jun 08 '16 at 11:20
-
Try it! Pass in something like `') OR 1=1--` – Rodders Jun 08 '16 at 11:26
-
http://stackoverflow.com/questions/473173/will-using-linq-to-sql-help-prevent-sql-injection – L-Four Jun 08 '16 at 11:29
-
@L-Four yes that I know, but in case of contains it doesn't create any parameters. – gsharp Jun 08 '16 at 11:33
-
@MurrayFoxcroft yes from profiler – gsharp Jun 08 '16 at 11:34
1 Answers
6
It will not just mindlessly construct IN statement from your Contains. At very least it will escape single quotes (by doubling them). Suppose you want to inject something like "') OR 1=1--" like suggested in comments, assuming that it will be converted to:
where ... IN ('') OR 1 = 1 -- the rest
But because single quotes are escaped that will be:
where ... IN (''') OR 1 = 1 --' -- the rest
So we are safe here, because your whole statement is treated as string.
Evk
- 98,527
- 8
- 141
- 191