Hi All,
I'm using Telerik UI for ASP.NET MVC R1 2021 licenced version and when customers doing some security test looks like some of Telerik instance codes can create Sql Injection attack possibility. Is it possible ? Is Telerik protect for Sql injection attacks?
One of usage example given below
public ActionResult GridTransactionBinding([DataSourceRequest]DataSourceRequest request)
{
if (Session["Username"] == null) { return View("404"); }
if (GetUserFleetId() != 0)
{
Load = GetLoadAmount();
}
return Json(Load.ToDataSourceResult(request), JsonRequestBehavior.AllowGet);
}
Thanks
1 Answer, 1 is accepted
Hello Adil,
Our collection extensions provide API that simplifies server operations by generating LINQ expressions based on the queries submitted by the client. When using IQueriable, these expressions are translated by the ORM to SQL queries and submitted to the database. In other words, the ORM is responsible for creating SQL injection-proof SQL queries, not our extensions.
Generally speaking, LINQ to Entities queries are not composed by using string manipulation or concatenation, and they are not susceptible to traditional SQL injection attacks.
So it is safe to say, that our API cannot cause any SQL injection breaches.
Regards,
Georgi
Progress Telerik
Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.