Safe dynamic column name in dynamic LINQ

dynamic-linq entity-framework linq-to-entities sql-injection

Question

I'm trying to create a dynamic WHERE clause with LINQ. I have a working example but I'm worried that it's not safe from SQL injection.

The following LINQ code:

var oQuery = _db.People.Where("FirstName.Contains(@0)", "kev");

produces the following SQL:

SELECT 
[Extent1].[FirstName] AS [[FirstName], 
[Extent1].[LastName] AS [[LastName], 
WHERE [Extent1].[[FirstName] LIKE '%kev%'

This works great, but now I want to use a dynamic column name as well. So I was thinking I would do the following:

var oQuery = _db.People.Where("@0.Contains(@1)", strSelectedColumn,"kev");

But this produces the following SQL:

  SELECT 
    [Extent1].[FirstName] AS [[FirstName], 
    [Extent1].[LastName] AS [[LastName], 
    WHERE N'FirstName' LIKE N'%kev%'}

which obviously is wrong and gives 0 rows as result because he is comparing 2 strings. By using the params LINQ will probably just inject the params as string when the query is build and not use the effective column name during the build.

The solution is to just use the following LINQ Query:

var oQuery = _db.People.Where(strSelectedColumn + ".Contains(@0)", "kev");

But this result in possible unsafe SQL which can be used to inject SQL.

How can I use my dynamic LINQ columns and still get safe code?

1
1
2/5/2014 4:40:19 PM

Accepted Answer

This line

var oQuery = _db.People.Where(strSelectedColumn + ".Contains(@0)", "kev");

generate safe SQL code, because before generating SQL query dynamic linq parse string expression and create expression trees. So if in strSelectedColumn not valid column then dynamic linq raise parse exception before generate sql query.

when you use this

var oQuery = _db.People.Where("@0.Contains(@1)", strSelectedColumn,"kev");

you get

WHERE N'FirstName' LIKE N'%kev%'

because you don't check value of field, you try check value of string parameters.

0
2/14/2014 6:31:36 AM

Popular Answer

Column names generally consist of nothing but letters, so you can apply "dumb" sanitization on the user input:

// user input: "abc';evil statement here"

strSelectedColumn = new string(strSelectedColumn.Where(c => char.IsLetter(c)).ToArray());
// abcevilstatementhere

var oQuery = _db.People.Where(strSelectedColumn + ".Contains(@0)", "kev");


Related Questions





Licensed under: CC-BY-SA with attribution
Not affiliated with Stack Overflow
Licensed under: CC-BY-SA with attribution
Not affiliated with Stack Overflow