views:

382

answers:

2

I'm doing this system Stacked and I am creating the search function. And in that process it occurs to me that maybe AR/nHibernate Expression.Like (and siblings) might maybe not be 100% "safe" in that you can create stuff like; "\r\ndrop database xxx;---" and similar things...?

I would expect them to be safe, but I am not sure...

A: 

If you find a security bug, you should definitely file it. Many rely on such things.

Dustin
+4  A: 

NHibernate (and by extension ActiveRecord) generate parameterized SQL statements of the form sp_executesql 'select blah from table where column = @p1', '@p1 varchar(10)', @p1 = 'drop database xxx;---' for queries. These types of SQL statements are safe from SQL injection because the contents of the parameters are not executed (unlike they would be if simple concatenation was used).

So yes, both are "safe".

Sean Carpenter
Thank you, great :)
Thomas Hansen