Last active
December 19, 2015 07:59
-
-
Save dazfuller/5922148 to your computer and use it in GitHub Desktop.
SQL Injection with Entity Framework 5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
public List<Book> Get(string title) | |
{ | |
using (var context = new BooksContext()) | |
{ | |
var result = context.Database.SqlQuery<Book>("SELECT * FROM Books WHERE Title LIKE '%" + title + "%'", new object[] { }); | |
return result.ToList(); | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
public List<Book> GetAgain(string title) | |
{ | |
using (var context = new BooksContext()) | |
{ | |
var parameter = new SqlParameter("@title", title); | |
var result = context.Database.SqlQuery<Book>("Book_GetByTitle @title", parameter); | |
return result.ToList(); | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
public List<Book> GetParameterised(string title) | |
{ | |
using (var context = new BooksContext()) | |
{ | |
var parameter = new SqlParameter("@title", String.Format("%{0}%", title)); | |
var result = context.Database.SqlQuery<Book>("SELECT * FROM Books WHERE Title LIKE @title", parameter); | |
return result.ToList(); | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CREATE PROCEDURE Book_GetByTitle | |
@title NVARCHAR(100) | |
AS | |
DECLARE @sql NVARCHAR(2000) | |
SET @sql = 'SELECT * FROM dbo.Books WHERE Title LIKE ''%' + @title + '%''' | |
EXEC sp_executesql @sql | |
GO |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment