From the course: Security in ASP.NET Core

Unlock this course with a free trial

Join today to access over 25,300 courses taught by industry experts.

SQL injection with Entity Framework Core

SQL injection with Entity Framework Core - ASP.NET Tutorial

From the course: Security in ASP.NET Core

Start my 1-month free trial Buy for my team

SQL injection with Entity Framework Core

- [Instructor] Many applications these days do not use SQL at all. It sounds a bit weird and of course most of them are using SQL in the background, but from an API perspective, the applications rely on something else. An OR mapper. An object relational mapper such as Entity Framework Core or and Hibernate. And of course the idea here is you have an API. Here is an order, add the order to the database. You don't write any SQL. And the OR mapper then of course knows what is a command, what is data, and creates secure SQL, preventing SQL injection. But that's only part of the story, because all OR mappers I'm aware of still allow running raw SQL against a database. So with Entity Framework Core there is the SqlQueryRaw method on the database, or ExecuteRawQuery, or if you have some entity you can then run FromSqlRaw there. These methods allow sending verbatim SQL to the database. If that SQL has been cobbled together using string concatenation, then you once again have SQL injection…

Contents