Skip to content

Instantly share code, notes, and snippets.

@dazfuller

dazfuller/BooksController_1.cs

Last active December 19, 2015 07:59
Show Gist options
  • Save dazfuller/5922148 to your computer and use it in GitHub Desktop.
Save dazfuller/5922148 to your computer and use it in GitHub Desktop.
Download ZIP
SQL Injection with Entity Framework 5
Raw
BooksController_1.cs
public List<Book> Get(string title)
{
using (var context = new BooksContext())
{
var result = context.Database.SqlQuery<Book>("SELECT * FROM Books WHERE Title LIKE '%" + title + "%'", new object[] { });
return result.ToList();
}
}
Raw
BooksController_2.cs
public List<Book> GetAgain(string title)
{
using (var context = new BooksContext())
{
var parameter = new SqlParameter("@title", title);
var result = context.Database.SqlQuery<Book>("Book_GetByTitle @title", parameter);
return result.ToList();
}
}
Raw
BooksController_3.cs
public List<Book> GetParameterised(string title)
{
using (var context = new BooksContext())
{
var parameter = new SqlParameter("@title", String.Format("%{0}%", title));
var result = context.Database.SqlQuery<Book>("SELECT * FROM Books WHERE Title LIKE @title", parameter);
return result.ToList();
}
}
Raw
Procedure.sql
CREATE PROCEDURE Book_GetByTitle
@title NVARCHAR(100)
AS
DECLARE @sql NVARCHAR(2000)
SET @sql = 'SELECT * FROM dbo.Books WHERE Title LIKE ''%' + @title + '%'''
EXEC sp_executesql @sql
GO
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment