LINQ Statement Vulnerable To SQL Injection?
Sep 29, 2010
Is this LINQ statment vulnerable to SQL injection?
var result = from b in context.tests
where b.id == inputTextBox.Text
select b;
where context is an Entity and tests is a table. I'm trying to learn LINQ and I thought that the benefit of it was that it wasn't vulnerable to sql injection, but some stuff I've see has said differently. Would I need to parametrize this LINQ statement to make it safer? If so, How? Also would this be considered linq to sql or linq to entities?
View 6 Replies
Similar Messages:
Jan 23, 2011
using a linqDataSource control... in the selecting event I have code like the following for a simple search feature:
[Code]....
In general, would dynamically building the 'Where' property of a linqDataSource be vulnerable to sql injection? Or does the control protect against this internally?
View 6 Replies
Mar 5, 2010
I am having trouble with this I have 3 Data tables i use over and over again which are cached I would like to write a LINQ statement which would do the following is this possible?
T-SQL VERSION:
SELECT P.[CID],P.[AID]
,B.[AID], B.[Data], B.[Status], B.[Language]
FROM MY_TABLE_1 P
JOIN
(
SELECT A.[AID], A.[Data], A.[Status], A.[Language] FROM MY_TABLE_2 A
UNION ALL
SELECT B.[AID], B.[Data], B.[Status], B.[Language] FROM MY_TABLE_3 B
) B on P.[AID] = B.[AID]
WHERE B.[Language] = 'EN' OR B.[Language] = 'ANY' AND B.STATUS = 1 AND B.[Language] = 'EN' OR B.[Language] = 'ANY' AND B.STATUS = 1
Then i would like it to create a result set of the following
Results:
|CID|AID|DATA|STATUS|LANGUAGE
View 3 Replies
Mar 23, 2011
I am new to LINQ. I have a GridView which I am populating using LINQ. My LINQ statement is taking query string from previous page. The query string is in string format. Here is the code:
protected void Page_Load(object sender, EventArgs e)
{
string getEntity = Request.QueryString["EntityID"];
[code]...
View 3 Replies
Mar 5, 2010
I am trying to have the collection of order IDs be used in my where statement how come i can't get this to work?
List<int> orders = new List<int>(){1,2,3,4,5};
DataTable dtTable1 = getOrders();
DataTable dtTable2 = getOrderDetails();
var results = from a in dtTable1.AsEnumerable()
join b in dtTable2.AsEnumerable() on a.Field<int>("ID") equals b.Field<int>("ID")
where orders.Contains(b.Field<int>("OrderID"))
select a;
View 2 Replies
Mar 4, 2011
have following method which returns "List"
public List<DistributionGroup> GetDistributionGroupsByUserId(Guid userId)
{
return (from dgu in db.DistributionGroup_Users where dgu.UserId == userId select
[code]...
View 3 Replies
Nov 29, 2010
Is it possible to generate dynamic LINQ statements? I need to be able to build conditional "WHERE" clauses for some of my LINQ statements. I don't want to write a giant block of code to hand every possible combination of filters, sorts and groups. I found a article online that outlines how to use string based where clauses here. Does LINQ in framework 4.0 no longer support this? Every example I've found has giant walls of virtually unreadable, must likely unmaintainable code.
View 1 Replies
Mar 23, 2011
I have a GridView which is not bound to any DataSource. In my page load event I am writing this code:
protected void Page_Load(object sender, EventArgs e)
{
string getEntity = Request.QueryString["EntityID"];
int getIntEntity = Int16.Parse(getEntity);
[Code]....
Now I can see the the value is coming from previous page, but my GridView is not populating anything. What I am doing wrong here?
View 2 Replies
Nov 27, 2010
OK So I know WHY I am having the error I am getting. I don't know HOW to fix it. Basically, if the user doesn't have a certain permission, I need to join another table. But .NET is so picky I can't just make two different queries in an IF statement and then use it outside of the if statement. I can think of some ugly work arounds for this, but I would rather not. I am fairly new to .NET I know just enough to be dangerous.
[code]....
I get the error: Unable to cast object of type
'System.Data.Linq.DataQuery1[VB$AnonymousType_111[System.Guid,System.String,System.String,System.String,System.String,System.Nullable1[System.DateTime],System.Nullable1[System.DateTime],System.Nullable1[System.Guid],System.Nullable1[System.DateTime],System.Nullable1[System.Guid],System.Nullable1[System.DateTime]]]' to type 'System.Collections.Generic.IEnumerable`1[Ten11CRMLib.Company]'.
because of this: Dim l As IEnumerable(Of Company) its not just IEnumerable of a Company, its got the source in it. I have to explicitly select source to use it in my datagrid. Can I make Dim l something that will make it stop complaining?
View 2 Replies
Jan 18, 2011
[Code]....
[Code]....
creating Linq query in return statement
View 2 Replies
Apr 5, 2010
[Code]....
I must have a LINQ Statement does i can show if my Time in the DB <= as the Time where i become from my Session +60 Minutes ??
View 3 Replies
Jun 22, 2010
I have a method to execute two "Update" sql statements.
The first one works fine and the second one I can't get to work for nothing.
Here is the entire method:
[Code]....
The error I am getting is "Incorrect syntax near '05'."
It is occuring on the next to the last line which is:
dc.ExecuteCommand(sql);
I update the variable "sql" first so I can debug. At the time it crashes the value of sql is:
"Update Blogs set Status = 'Archived', ArchiveDate = 06/22/2010 05:14:46 PM Where (BlogID != 1) and (Status = 'Published') and (AuthorID = 9e37e028-c205-4903-920e-e8643b30a724)"
It appears to be the ArchiveDate that is causing the problem here. The "05" is the hour of the time portion. Both ArcgiveDate and PublishDate are defined exactly the same in the database. If you look at the first dc.ExecuteCommand it does exactly the same
thing with PublishDate (DateTime column) in the same table and it works just fine.
Then I modifed the code and remove the ArchiveDate from the sql statement then I get the error:
"Incorrect syntax near 'e028'."
which as you can see is part of the AuthorIDs value in the where clause. So I am assuming both the date and the Guid / Author ID is causing problems. I have tried enclosing the values in quotes but I just cant make this work even though it seems to be working fine in other places.
I even remove the code for the author ID and left in the code for the ArchiveDate and it still does not work so I have proved that both are causing a problem.
View 1 Replies
Aug 18, 2010
My application includes BUILDING table with columns BUILDING_ID, NAME, TOWN_ID, I run the LINQ query listed below and need to append two letters to buildings.NAME based on TOWN_ID. I assume that I need to place an "if" or "select" statement inside the query but I can not figure out how to do that,
[Code]....
View 4 Replies
Mar 26, 2010
I am trying to insert a new account in my Acccounts table with linq. I tried using the EntityModel and Linq2Sql. I get no insert into my database nor an exception of any kind.
public static Linq2SQLDataContext dataContext {
get { return new Linq2SQLDataContext(); }
}
[code]...
View 4 Replies
Mar 12, 2011
Right now I have an error if f.ParentID is null:
DataSet1.TreeItemRow[]
TreeItemRows = (from f
in tidt
where (f.ParentID == TreeItemId)
select f).ToArray();
I must continue if f.ParentID is null, I don't want to include null fileds in the array. What is the right syntax for that is linq sql?
View 17 Replies
May 25, 2010
I am using Linq to SQL. Tables have timestamp columns and I am using regular Linq methodology in ASP.NET MVC.I do use detached entities and always try to do updates without first querying the database for the original entity. To update an entity I use context.Attach(entity, true) followed by context.SubmitChanges() and all is fine. The sql statement that gets executed looks like:
[Code]...
View 7 Replies
Dec 15, 2010
Using linq to entities i am connecting to a database, the database has tables in it that has payments that have a multi to multi relationship with jobs. This is acheived via an allocs table. I want a list box with all the jobs that has a column called due price which takes all of the allocations of payments for this job and takes that away from the job price. However, using the below linq to entities statement. The problem is that if the job has no allocations it returns null and therefore the due payment is empty. What i really want is for the due payment to be the job price if there are no allocations however, i cannot think of a way around this.
var jobs = from j in data.jobs
where j.property.customer.id == customerid
&& j.completed != null
select new
{
j.id,
j.price,
dueprice = j.price - ( from a in data.allocs
where a.job.id == j.id
select a.amount ).Sum(),
lineone = j.property.lineone,
postcode = j.property.postcode,
jobtype = j.jobtype.name,
j.completed
};
View 3 Replies
Aug 8, 2010
I have the following statement:
List<string> tracks = new List<string> { "ABC", "DEF" };
var items = (from i in Agenda.AgendaSessions
select i).Where(p => p.Tracks.Any(s => tracks.Contains(s.Code)));
this returns all sessions which track contains either ABC or DEF, now when I rewrite the statement like the following, it returns All sessions regardless, as if the clause always yeilds into true,
var items = from i in Agenda.AgendaSessions
where i.Tracks.Any(s=> tracks.Contains(s.Code))
select i;
Update
if there are other clauses within the where, does that affect the results?
View 1 Replies
Nov 1, 2010
I'm using a literal to display some javascript on a product page control. Basically what I'm doing is in my code behind I'm declaring a new stringbuilder, writing the script while inserting some dynamic variables to populate the script then setting the literal text to the stringbuilder. This leaves me open to xss attacks. What can I do to prevent this?
System.Text.StringBuilder sb = new System.Text.StringBuilder();
//loop through items in the collection
for (int i = 0; i < _prod.ActiveProductItemCollection.Count; i++)
{
sb.Append("<script type='text/javascript'>");
//add +1 to each item
sb.AppendFormat("mboxCreate("product_productpage_rec{0}",", i+1);
[code]...
View 4 Replies
Aug 21, 2010
I usually work with windows forms, and am just starting to work with ASP.Net, so appologies if this is a dumb question!
I have a master page which has a search button on it. The results of this are built up using a Linq statement and if there are any results, I want to display the results in a contents page.
On the masterpage, I have the following code:
[Code]....
On the SearchResults.aspx page I have this code.
[Code]....
m.searchRes is always nothing.
View 2 Replies
Apr 4, 2011
I have a GridView and on a row being deleted I trigger the GridView1_RowDeleting sub, but I receive an error "LINQ to Entities does not recognize the method 'System.Web.UI.WebControls.TableCell get_Item(Int32)' method, and this method cannot be translated into a store expression." Code is:
Private Sub GridView1_RowDeleting(sender As Object, e As System.Web.UI.WebControls.GridViewDeleteEventArgs) Handles GridView1.RowDeleting
' The deletion of the individual row is automatically handled by the GridView.
Dim dbDelete As New pbu_housingEntities
' Remove individual from the bed.
Dim remove_bed = From p In dbDelete.Beds _
Where p.occupant = GridView1.Rows(e.RowIndex).Cells(3).Text _
Where p.room = GridView1.Rows(e.RowIndex).Cells(6).Text _
Where p.building = GridView1.Rows(e.RowIndex).Cells(5).Text _
Order By p.id Descending _
Select p
remove_bed.First.occupant = ""
dbDelete.SaveChanges()
' Increase number of open spaces in room.
Dim update_occupancy = From p In dbDelete.Rooms _
Where p.room1 = GridView1.Rows(e.RowIndex).Cells(6).Text
Where p.building = GridView1.Rows(e.RowIndex).Cells(5).Text _
Select p
update_occupancy.First.current_occupancy = update_occupancy.First.current_occupancy - 1
dbDelete.SaveChanges()
End Sub
The specific line erroring out is: remove_bed.First.occupant = ""
View 2 Replies
Feb 15, 2010
THE CODE:
Session["foo"] = "bar";
Response.Redirect("foo.aspx");
THE PROBLEM:
When foo.aspx reads "foo" from the session, it's not there. The session is there, but there's no value for "foo".
I've observed this intermittently in our production environment. But I don't mean here to ask a question about Response.Redirect().
THE EXPLANATION:
Bertrand Le Roy explains (the bolding is mine): Now, what Redirect does is to send a special header to the client so that it asks the server for a different page than the one it was waiting for. Server-side, after sending this header, Redirect ends the response. This is a very violent thing to do. Response.End actually stops the execution of the page wherever it is using a ThreadAbortException. What
happens really here is that the session token gets lost in the battle. My takeaway there is that Response.Redirect() can be heavy-handed
with ending threads. And that can threaten my session writes if they occur too near that heavy-handedness.
THE QUESTION:
What about ASP.NET session management makes it so vulnerable to this? The Response.Redirect() line of code doesn't begin its execution until the session write line is "finished" -- how can it be such a threat to my session write? What about the session write doesn't "finish" before the next line of code executes? Are there other scenarios in which session writes are similarly (as though they never occurred) lost?
View 3 Replies
May 5, 2010
We have an application developed on VS2008 [Asp.Net & C#], in this application we provide the facility to the user to write his/her business logic code. For that purposes we maintained a Businesslogic.cs file where user can write his/her code and our application build it as a BusinessLogic.dll file at runtime.
But the problem is when we introducing Linq statement/code into the BusinessLogic.cs file then it generated compilation error [CS1026 ].
Note that, when we build the dll from VS2008 environment then it working fine with the same code which we write into the BusinessLogic.cs & don't generated any compilation error.
View 8 Replies
Mar 1, 2011
I was performed tests againts my web server using Shadow Security Scanner with the following results:
Web Servers : Vulnerable script
Port : 80
Description: Found vulnerable script on this web site
Risk level :High
Script: http://servername/ScriptResource.axd?d=P4tzN-eCJlchxi30M7K6eGzyH7tdeY4timDGCw0yDS45Ur477KM8CSqJQdqun4VDGbs5xXGPE 7VeqXqRIDyOHxwoopCbgbWmKFLiyKB1Qs5UDJTyZQYe4zURSEshSBwPOm1hORh40237AJZ_EWO2n2-3IwAzTY__px0r6WbIYgWamkVz0&t=/etc/passwd
CVE : GENERIC-MAP-NOMATCH
Why ScriptResource.axd is a vulnerable script?
View 1 Replies
Jan 11, 2010
I am trying to create a multi column listbox by combining fields in Linq select statement, as Let Name = Last + First. The problem is how to pad the Last column with spaces as you would in SQL using REPLICATE so when I bind the listbox to the data, it looks like two columns.
View 5 Replies