Closed MatteoZampariniDev closed 2 months ago
Hi, great question!
Remote linq, i.e. Remote.Linq.EntityFramework
and Remote.Linq.EntityFrameworkCore
for that matter, do not deal with SQL whatsoever. They simply apply linq expressions to EF which takes care of translating these expressions to SQL as is done when using EF in a traditional way.
However, there are security concerns to be considered. Since queries typically are composed on client tier, the client gets more power and flexibility as the server's API is not as restricted as it typically would be e.g. exposing a WebAPI with well defined methods and parameters. Here are some aspects to be considered:
What's more, for more advanced scenarios you may want to have a look at aqua-accesscontrol which allows restricting fine grained access for linq queries/expressions on global level, entity level, and property level. The library has not been actively maintained for a while but I'm happy to give it an update in case you're interested. Have a look at some unit tests to get an idea of how to use it: Aqua.AccessControl.Tests/When_applying_type_predicate_with_linq_to_object.cs
Thank you for the exhaustive answer, sounds great
Hi! I'm interested in this library, is there any concern about SQL injection or similar?