Is there any reason to migrate from MySql to SQL server 2008 if one's main concern is the blocking of SQL injection attacks?
Does Linq2Sql or EF provide additional protection?
views:
40answers:
3
A:
if you use store procedures in SQL Server it's more difficult to have a sql injection error.
JoaquinG
2010-10-21 12:45:16
-1 this is inaccurate, stored procedures themselves offer no protection if you build dynamic sql inside the stored procedures. The 1 and only true prevention is parametrized queries. This usually implicitly includes stored procs since most normally won't do dynamic sql inside them but to state used stored procs is misleading and obscuring why they *potentially* resist sql injection.
Chris Marisic
2010-10-21 12:55:38
+5
A:
No. The strategies for blocking against SQL Injection Attacks are similar (parameterized queries rather than dynamically built, stored procedures, checking parameters for malicious values, etc.).
And yes, since you're not writing any SQL code with EF or Linq To Sql, you could consider that an additional layer of protection.
Justin Niessner
2010-10-21 12:46:07
@Justin: Straight from the MSDN: "LINQ to SQL translates the queries you write into parameterized SQL queries (in text form) and sends them to the SQL server for processing." That's only an additional layer of protection if you aren't using parameterized queries. It is perfectly possible to write parameterized queries without using Linq.
Brian
2010-10-21 13:23:17
@Brian - I never said that you couldn't write parameterized queries without LINQ. In fact I said the exact opposite in my first statement. LINQ to SQL just generates them for you (since there are plenty of developers out there still not writing parameterized queries themselves).
Justin Niessner
2010-10-21 13:26:47
+1
A:
Most of the work you can do to protect your system against sql injection is outside the database so that's not enough reason to change the DB engine.
You may want to take a look to WPL library from Microsoft.
The Microsoft Web Protection Library (WPL) is a set of .NET assemblies which will help you protect your web sites, current, future and past. The WPL includes
AntiXSS
AntiXSS provides a myriad of encoding functions for user input, including HTML, HTML attributes, XML, CSS and JavaScript.
- White Lists: AntiXSS differs from the standard .NET framework encoding by using a white list approach. All characters not on the white list will be encoded using the correct rules for the encoding type. Whilst this comes at a performance cost AntiXSS has been written with performance in mind.
- Secure Globalization: The web is a global market place, and cross-site scripting is a global issue. An attack can be coded anywhere, and Anti-XSS now protects against XSS attacks coded in dozens of languages.
Security Runtime Engine
The Security Runtime Engine (SRE) provides a wrapper around your existing web sites, ensuring that common attack vectors to not make it to your application. Protection is provided as standard for
- Cross Site Scripting
- SQL Injection
Claudio Redi
2010-10-21 13:22:00