Hello,
I have ASP.NET MVC 1.0 and Entity Framework v1 application.
By default, content submitted by user is validated for malicious input. (See here). HTML encoding user submitted data, prevents JavaScript injection attacks. Entity Framework internally uses parameterized SQL which will stop sql injection.
Is this sufficient ? What else can be done to detect, and stop, malicious (javascript/sql injection) input ?
Please advise.
Thank You.
Use Bind(Include ... attribute to prevent Over-Posting Problems .
For more info check out this link: http://bradwilson.typepad.com/blog/2010/01/input-validation-vs-model-validation-in-aspnet-mvc.html
Hope this helps.
You should use ViewModels to presenting and retrieving data from views and then validate them. This will be input validation.
Then pass data from ViewModels to your DomainModels (EF). Then you should validate your domain models to prevent broken domain rules.
Further to what @ali62 posted;
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult MyAction( [Bind(Exclude="id")] User user )
{
return View();
}
and
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult MyAction( [Bind(Include="name, email")] User user )
{
return View();
}