Last post Feb 27, 2014 10:04 AM by sjnaughton
Feb 24, 2014 09:38 AM|Praveen Kadali|LINK
I have doubt regarding asp net dynamic data application. In order to provide filtering in asp net dynamic data, generally we provide text box and assign it to whereparameters of entitydatasource something like below.
<asp:ControlParameter ControlID="txt" DbType="String" />
If user tries to enter some sql injection to the text box control and perform the filtering, does the framewrok hanldes this kind of scenarios or we need to do any preventive measures against this?
Feb 25, 2014 01:56 AM|Terry Guo - MSFT|LINK
Hi Praveen Kadali,
Please don't need to worry about it, becuase the ControlParameter can detect the sql injection, you can try to test it in your project.
When you input '--' in your textbox as filter condition, it will only as filter value, without sql statement.
Hope it helps.
Feb 27, 2014 10:04 AM|sjnaughton|LINK
Because it uses Entity Framework or Linq to SQL you get any queries are parameterised so you need not worry. If you would like to test this out just run SQL Monitor and try injecting something into the query using a filter etc. You will then see how the
ORMs and DataSources handle it.