From the course: ASP.NET: Security
Unlock the full course today
Join today to access over 22,400 courses taught by industry experts or purchase this course individually.
SQL injection with Entity Framework
- [Instructor] Many applications these days do not use SQL at all. This sounds a bit weird, and of course they are using SQL in the background, but from an API perspective, the applications uses something else. It's using an OR mapper, an object relational mapper like Entity Framework, which is the approach that Microsoft suggests, which is kind of obvious since it comes from Microsoft. Entity Framework provides us with an API. We have a data model. Then we work with that model, we have methods, we have properties, we have a strongly-typed interface for our database and Entity Framework is responsible for turning our API calls into proper SQL statements. Since we now have this distinction between commands and data, we should be safe from SQL injection, aren't we? Well we are, unless we're using some very rarely used APIs. There are ways of executing raw SQL with Entity Framework depending on the Entity Framework version you're using. If you have a DB Set, there's the SQL Query Method,…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Contents
-
-
-
OWASP Top 103m 36s
-
Cross-site scripting (XSS): The attack5m 10s
-
Cross-site scripting (XSS): The defense4m 18s
-
Cross-site scripting (XSS) in JavaScript5m 19s
-
Same-origin policy and CORS5m 12s
-
Enabling CORS in ASP.NET Web API6m 20s
-
SQL injection with ADO.NET3m 56s
-
SQL injection with Entity Framework3m 32s
-
Fixing SQL injection4m 27s
-
Cross-Site Request Forgery (CSRF)4m 40s
-
Defending against CSRF4m 24s
-
-
-
-
-