views:

25

answers:

1

I want to use an ORM, and have been looking at EF 4. Is this platform scalable. I see a lot of stuff on the web, but everything looks very biased in one way or the other. Anyone know of benchmarks or non-subjective information.

On that point, does EF prevent SQL injection or XSS. I know that it used parametrized queries, but is that enough?

Any help is appreciated.

+1  A: 

Okay so i see two questions here.

Is EF Scalable

Very difficult (and subjective) to answer, but IMO yes.

Here's a few reasons why:

  • Utilizes a common querying language (LINQ)
  • Allows for multiple providers (SqlServer, Oracle, etc)
  • Allows bi-directional mapping (code first, model first, database first)
  • Includes "classic ADO.NET" support (stored procedures, Entity-SQL)

The main real benefit in scalability is how the framework is built on LINQ-to-Entities. When you write queries, you are not writing against SQL Server or Oracle, you are writing against the Model. Depending on what Provider you have setup (in web.config), EF will translate these model queries into the appropriate T-SQL (or P-SQL).

Therefore (theoretically), you could write code against SQL Server, then change the web.config provider to Oracle, and your code should work. Obviously this isn't the case for Entity-SQL though (as you are writing T-SQL, not LINQ).

Does EF prevent SQL injection or XSS

No ORM tool can really "prevent" SQL Injection attacks - they can only provide the developer with the tools to prevent it.

As with classic ADO.NET where you use parameterized queries, Entity Framework has Entity-SQL, which allows to to execute pre-generated SQL, stored procedures, etc.

In this scenario, you need to use parameterized queries to prevent SQL injection. For most EF work, you will be writing queries with LINQ, which is a lot safer because it gets hydrated through a lot of stages before it becomes SQL.

XSS is exploited on the client-side via things like injected JavaScript, dodgy emails, etc. Has nothing to do with Entity Framework. Prevention of XSS is done on the client-side with things like HTML encoding.

RPM1984
Very nice writeup, thanks a bunch.
No worries, glad it helped.
RPM1984