SQL注入问题
好的,我使用这条路线,
routes.MapRoute(
"Catalog/Data",
"Catalog/{*data}",
new { controller = "Catalog", action = "Category", data = "" }
);
网址看起来像 http://localhost/Catalog/Computer/Harddrives/internal< /a>
数据是计算机/硬盘/内部部分,
我将其分开并验证路线 这就是我担心的地方,atm 我不检查 sql 注入,
我通过使用实体框架从数据库获取类别来检查路线 有了这个函数
public Category GetByRoute(string Route)
{
return (from c in XEntity.CategorySet
.Where(c => c.Route == Route)
.Where(c => c.IsEnabled == true)
select c).FirstOrDefault();
}
我应该担心sql注入吗?
ok i use this route
routes.MapRoute(
"Catalog/Data",
"Catalog/{*data}",
new { controller = "Catalog", action = "Category", data = "" }
);
the Url looks something like http://localhost/Catalog/Computer/Harddrives/internal
Data beening the Computer/Harddrives/internal part
i split it apart and validate the route
here is where my concerns are, atm i do not check for sql injection
i check the route by getting the category from the database using enitity framework
with this function
public Category GetByRoute(string Route)
{
return (from c in XEntity.CategorySet
.Where(c => c.Route == Route)
.Where(c => c.IsEnabled == true)
select c).FirstOrDefault();
}
should i be worried about sql injection with this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
Linq2Sql 和实体框架使用 SQL 参数(除了一种边缘情况),所以你会没事的。
在您的情况下,您实际上是在 CategorySet 上使用 Linq,并且在这种情况下 linq 在本地执行,因此是 CategorySet 接触数据库,即约束在其之后运行(我相信)。在这种情况下也没有问题。
Linq2Sql and the Entity Framework use SQL parameters (except for one edge case) so you'll be fine.
In your case you're actually using Linq over the CategorySet, and linq is executed locally in this case, so it's CategorySet that's touching the database, the where constraints run after (I believe). Again in this case there's no problem.