Entity Framework vs SQL Injection (security?)

1

Hello! I'm a newbie in development so I'm sorry if the question is silly. If it is thank you link's with references so I can better inform myself.

As much as I understand the concept and the use of SQL injection I can not have enough malice to imagine attacks and practical uses, there I am concerned about the security of my application. I am developing in .NET ASP MVC with C # and data access with Entity Framework. I have read that the best method to avoid the infamous SQL injection is to use store procedures for everything. But doing this with Entity Framework, it seems to me, would eventually remove all the practicality of that tool.

Then comes my doubt. If I make an entity like this:

public class Cliente
{
    public int ClienteID { get; set; }
    public string Nome { get; set; }
    public string CNPJ { get; set; }
    public string Telefone { get; set; }
}

And I create a standard Controller, using Scaffolding where I have an Edit action:

[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Edit([Bind(Include="ID,Nome,Cnpj,Telefone")] Cliente cliente)
{
    if (ModelState.IsValid)
    {
        db.Entry(cliente).State = EntityState.Modified;
        db.SaveChanges();
        return RedirectToAction("Index");
    }
    return View(cliente);
}

Am I subject to SQL Injection if my user types an Insert or Delete clause in the Name field of my View? If so, how can I prevent this?

I see a lot of tutorials and courses teaching like this, but no one comments on security issues.

    
asked by anonymous 11.09.2017 / 15:52

1 answer

1

When we use LINQ to Entities it is free from SQL Injection sim. I'm not sure when to use ADO.NET.

Anyway. The way you're doing it, you can not inject SQL code.

    
11.09.2017 / 15:58