Open GoogleCodeExporter opened 9 years ago
A stop gap measure would be to use the Data.Utility.DetectSqlInjection() in all
the places that take a string query.
Raise an exception or take other appropriate actions when SQL Injection is
detected.
Original comment by vaibhavk...@gmail.com
on 15 Feb 2011 at 1:39
Hello,
Do you have a patch of the changes you made to the current version of the
templates?
Thanks
-Blake Niemyjski
Original comment by bniemyjski
on 15 Feb 2011 at 3:31
Original comment by vaibhavk...@gmail.com
on 16 Feb 2011 at 5:20
Attachments:
Here is another option. This will detect SQL Injection for all GetPaged
methods..
File: /DataAccessLayer.SqlClient/SqlEntityProviderBase.generated.cst
//Detect SQL Injection
if (Utility.DetectSqlInjection(whereClause) ||
Utility.DetectSqlInjection(orderBy))
{
throw new Exception("SQL Injection Detected.");
}
I am not sure if throwing an exception is the best way. Alternatively we could
do this:
//Detect SQL Injection
if (Utility.DetectSqlInjection(whereClause) ||
Utility.DetectSqlInjection(orderBy))
{
count = 0;
return rows;
}
Original comment by vaibhavk...@gmail.com
on 16 Feb 2011 at 6:10
Attachments:
Sorry for too many comments.. :)
This patch contains changes for all DB types. SQL, SQL CE, Oracle, Generic
Hope it helps. Thanks.
Original comment by vaibhavk...@gmail.com
on 16 Feb 2011 at 6:39
Attachments:
Hello,
Thanks for this.
Thanks
-Blake Niemyjski
Original comment by bniemyjski
on 16 Feb 2011 at 4:44
Original issue reported on code.google.com by
vaibhavk...@gmail.com
on 15 Feb 2011 at 1:35