I have imported a SQL Server stored procedure into the .edmx file. I’m calling the generated method like:
entity.MySP(stringInput)
Does the stringInput parameter need to be validated (for SQL injections etc) when using EF, or can I assume EF does that for me? If not, is there a method I can call to escape/validate the input parameter?
I’m using SQL Server 2008 R2, .NET 4.0, C#, ASP.NET MVC 4, VS2010.
EDIT:
Note that I’d like to use LINQ instead of calling a SP, but I’m using FREETEXT, so I think this is the more elegant solution.
You can read more about LINQ to Entity Framework Security here, http://msdn.microsoft.com/en-us/library/cc716760.aspx. Look at the section titled “Security Considerations for Queries”.
To answer your question specifically, Entity Framework will call your stored procedure and pass in the stringInput value. That means even if stringInput is a SQL statement meant to inject something harmful into your database, just passing it to your stored procedure will not cause a SQL Injection attack.
However, depending on how you use stringInput in your stored procedure, you could still leave yourself open to an attack. Specifically, if you use stringInput in a dynamic SQL statement that you execute, you are leaving yourself open to attack. If you use it to do a compare in the WHERE section of a SELECT statement you should be safe.