Preventing SQL Injection with the Entity Framework and Data Services

Leave a reply

Yesterday, at the Developer Dinner, I answered a bunch of questions around SQL Injection in the various usage scenarios of the ADO.NET Entity Framework & ADO.NET Data Services.  For the most part, my responses were correct.  However, the last question asked was specific to Entity SQL queries.  I misspoke.  This post is to clear things up.

Because Entity SQL is string based, it is susceptible to SQL Injection.  From Security Considerations (Entity Framework):

"Entity SQL injection attacks:

SQL injection attacks can be performed in Entity SQL by supplying malicious input to values that are used in a query predicate and in parameter names. To avoid the risk of SQL injection, you should never combine user input with Entity SQL command text.

Entity SQL queries accept parameters everywhere that literals are accepted. You should use parameterized queries instead of injecting literals from an external agent directly into the query."

Therefore, if you decide to execute queries using Entity SQL, then will want to review How to: Execute a Parameterized Query (Entity Framework).  I will be sure to update my Entity SQL demos to use parameterized queries.

The good news is that if you are using LINQ to Entities, then you are covered:

"LINQ to Entities injection attacks:

Although query composition is possible in LINQ to Entities, it is performed through the object model API. Unlike Entity SQL queries, LINQ to Entities queries are not composed by using string manipulation or concatenation, and they are not susceptible to traditional SQL injection attacks. "

If I remember correctly, the originating question starting the series of SQL Injection questions was about introducing SQL Injection into an ADO.NET Data Services query.  ADO.NET Data Services queries go through a translation layer from the http request to the actual query execution.  Although this translation is not exactly the same, it is conceptually similar to what happens when you create LINQ to Entities queries in code.  Because of this translation layer you get the same protection from SQL Injection.

FOLLOW UP: Developer Dinner on .NET Framework 3.5 SP1

Leave a reply

Thanks to everyone who attended!  You can download the deck and links to the code here:

http://cid-1f72da7294089597.skydrive.live.com/embedrow.aspx/Public/NETFX3.5SP1

Normally, I make my actual demo code available for download.  However, this time around, my demo code was based on the .NET 3.5 Enhancements Training Kit.  I blogged about it here:

http://blogs.msdn.com/devkeydet/archive/2008/08/18/free-training-on-net-framework-3-5-sp1-and-asp-net-mvc.aspx

The kit has everything I showed in my demos and more!  I also promised to link to a bunch of good content out there on the various topics.

General

MSDN -> Data Platform Development

“How Do I?” Videos — Data Platform Development

ADO.NET Entity Framework

MSDN Library -> ADO.NET Entity Framework

ADO.NET Team Blog

Entity Framework Design Blog

Sample provider for Oracle

Third Party Provider Support for the Entity Framework RTM

Updated Entity Framework Samples for RTM

ADO.NET Data Services

MSDN Library -> ADO.NET Data Services Framework

MSDN -> ADO.NET Data Services

ADO.NET Data Services Team Blog

https://channel9.msdn.com/tags/UK/ Has a bunch of GREAT screencasts from Mike Taulty.

ASP.NET Dynamic Data

MSDN Library -> ASP.NET Dynamic Data

http://www.asp.net/DynamicData/

David Ebbo’s blog (Dynamic Data and other ASP.NET topics)

WPF

http://windowsclient.net/wpf/default.aspx

What’s New in .NET Framework 3.5 Service Pack 1 (for WPF)

WPF DataGrid CTP Preview (Video)

cheat-sheet to some of the WPF 3.5 SP1 features..

WPF Control Toolkit (DataGrid CTP)

WCF

New WCF Features in 3.5 SP1

WCF Tools in VS2008 SP1: Introducing the new features and enhancements

Free training on .NET Framework 3.5 SP1 and ASP.NET MVC

Leave a reply

Looking for free introductory training on the .NET 3.5 SP1 & ASP.NET MVC?  Head over to Jonathan Carter’s blog to get all the details on the .NET 3.5 Enhancements Training Kit RTM.  What will you find?  Information and links to download a kit that has presentations, demos, and labs covering what’s new in ASP.NET AJAX, ASP.NET Routing, ASP.NET MVC, ASP.NET Dynamic Data, ADO.NET Data Services, ADO.NET Entity Framework, WCF, and Visual Studio 2008 SP1.  If you’ve seen any of my 3.5 SP1 or my older "ASP.NET Futures" presentations, then you are already familiar with some of the content in the kit.  I used an early release of the kit as the foundation for some of my demos.  The kit has come a long way since I used it.  I skimmed through everything last week.  There is lots of good content in here!

WPF Datagrid & the WPF Toolkit

Leave a reply

In addition to releasing the .NET Framework 3.5 SP1 last week, which included a number of improvements to WPF, the WPF Codeplex site went public.  This site is the home for the WPF Toolkit and WPF Futures.

From the site:

"The WPF Toolkit is a collection of WPF features and components that are being made available outside of the normal .NET Framework ship cycle. The WPF Toolkit not only allows users to get new functionality more quickly, but allows an efficient means for giving feedback to the product team. Many of the features will be released with full source code as well.  The Toolkit Roadmap outlines some of the upcoming features we have planned."

"WPF Futures includes sample controls and features, many of which are being considered for the Toolkit. Check out the Futures Roadmap to see some of the features we have planned."

The first CTP of the WPF Toolkit includes the new WPF Datagrid.  Future releases will include a DatePicker/Calendar and more.  Jaime Rodriguez already has 3 posts on the Datagrid:

dabbling around the new WPF datagrid (part 1)

datagrid (part 2) — Show me some code

Datagrid (part3): styling

While I am at it, Jaime has a nice little "cheat-sheet to some of the WPF 3.5 SP1 features" at http://blogs.msdn.com/jaimer/archive/2008/08/15/cheat-sheet-to-some-of-the-wpf-3-5-sp1-features.aspx

Technorati Tags: ,

Virtual Earth ASP.NET Control Samples

Leave a reply

John O’Brien, a Windows Live Developer MVP, has been cranking out samples of how to use the Virtual Earth ASP.NET Control.  He’s also blogging over at www.liveside.net now.  His latest post is titled Server Side Clustering and comes complete with videos!  John has also created a site where you can see his samples live and download all the samples at http://veasp.soulsolutions.com.au/.  He’s organized the samples in a similar fashion to the Virtual Earth Interactive SDK.  If you are leaning towards using the Virtual Earth ASP.NET Control, then you’d be silly not to check this stuff out!

Technorati Tags: ,,

Building Virtual Earth applications just keeps getting easier

Leave a reply

I’ve given a number of presentations on Virtual Earth development over the last couple years.  The first thing ASP.NET WebForms developers say to me is how bummed they are that they have to write JavaScript.  That’s understandable.  ASP.NET WebForms developers have come to expect server controls to do most of the heavy lifting for them.  ASP.NET AJAX introduced the UpdatePanel control which allows you to AJAX enable your applications without having to write a single line of JavaScript.  Yesterday, as part of the latest Windows Live™ Tools for Microsoft® Visual Studio® 2008 CTP, a new Virtual Earth ASP.NET control was released.  This is a sweet control that makes integrating Virtual Earth into your ASP.NET applications a easy as drag, drop, set some properties, and wire up some server side code.  The new control, which is built on top of ASP.NET AJAX, does all the heavy lifting you’ve come to expect from ASP.NET AJAX enabled controls.  ASP.NET AJAX also introduced the concept of control extenders.  Extenders allow you to add AJAX functionality to existing server controls.  The Virtual Earth ASP.NE T control ships with a ton of extenders that allow you to interact with the map without writing any code.  I had the luxury of getting early access to the bits.  I’ve taken the control for a thorough test drive.  I think ASP.NET developers are going to love this thing!  Chomping at the bit?  Have a look at http://dev.live.com/blogs/devlive/archive/2008/07/27/386.aspx to get an overview of the control, watch a video of how it works, and download the CTP.

Technorati Tags: ,,

SCREENCAST: Rendering Polygons from SQL Server 2008 on Virtual Earth

Leave a reply

In this screencast, I build off of the concepts shown in my previous screencast and show you how to render a polygon on a Virtual Earth map using REST, Windows Communication Foundation (WCF), LINQ to SQL, and the new geography data type in SQL Server 2008.

To learn more about the GeoRSS utility library, visit:
http://blogs.msdn.com/eugeniop/archive/2008/07/01/simple-georss-utility-library-released.aspx

A big thanks to Eugenio Pace for letting me use it as part of my sample!

Screencast:

https://channel9.msdn.com/posts/keydet/Rendering-Polygons-from-SQL-Server-2008-on-Virtual-Earth/

Code:

http://cid-1f72da7294089597.skydrive.live.com/embedrow.aspx/Public/Virtual%20Earth/VeWcfSql08

SCREENCAST: Saving Virtual Earth Polygons to SQL Server 2008

Leave a reply

In this screencast, I show you how to draw a polygon on a Virtual Earth map and save it using ASP.NET AJAX, Windows Communication Foundation (WCF), LINQ to SQL, and the new geography data type in SQL Server 2008.

Screencast:

https://channel9.msdn.com/posts/keydet/Saving-Virtual-Earth-Polygons-to-SQL-Server-2008/

Code:

http://cid-1f72da7294089597.skydrive.live.com/embedrow.aspx/Public/Virtual%20Earth/VeWcfSql08