Domanda

Does mysql.data.entity have built in protection against injection attacks. I feel like it should as it doesn't pass in literals, but rather objects so they should never touch SQL, but I'm not sure.

È stato utile?

Soluzione

Whilst one cant be certain without access to the MYSQL provider code, it is extremely unlikely there are issues with regard to injection.

The EF provider specification. and the SQL generation based on trees approach. And the sample would suggest it is not likely to be vulnerable.

Of course when one exposes direct SQL again eg via

dbContext.Set.SqlQuery(); // or equivalent in < ef6 versions

then all bets are off.

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top