SQL method extension security

Thread is closed for posting
4 posts, 0 answers
  1. Chris
    Chris avatar
    40 posts
    Member since:
    Feb 2009

    Posted 20 Apr 2012 Link to this post

    I've been wanting to do full text search and came across an article on your site explaining how to do it, which is good. However, to me, it looks ripe for SQL injection. I read through http://www.telerik.com/help/openaccess-orm/topic39.html but just wanted to verify with you guys that that won't be a problem.

  2. Ralph Waldenmaier
    Ralph Waldenmaier avatar
    202 posts

    Posted 23 Apr 2012 Link to this post

    Hello Chris,

    When using the SQL extension method, we are using parameters to pass the values to the query. This ensures, that one can not inject unwanted sql. If you then also use a constant to define your sql to be used within the SQL extension method, you are on the safe side. And we check that the actual SQL that we try to produce comes actually from a string constant.

    Hope that helps. 
    Feel free to ask if you have any other question.

    Kind regards,
    the Telerik team
    If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the OpenAccess ORM, subscribe to their blog feed now.
  3. Tudor
    Tudor avatar
    1 posts
    Member since:
    Jan 2014

    Posted 18 Jun 2014 Link to this post

    I get an exception using this extension method:

    LINQ to Entities does not recognize the method 'Boolean SQL[Boolean](System.String, System.Object[])' method, and this method cannot be translated into a store expression

    Doesn't it run with EF?
  4. Kristian Nikolov
    Kristian Nikolov avatar
    206 posts

    Posted 20 Jun 2014 Link to this post

    Hello Tudor,

    Telerik Data Access extension methods can only be used with Telerik Data Access models and are not compatible with other ORMs. If you wish to take advantage of the rich functionality provided by Telerik Data Access we would like to invite you to check out our Q2 2014 release. It introduces new interesting features which were highly requested by our users - namely Attributes Support in the Visual Designer and Serializable Persistent Classes.

    I hope this helps. Should you have any more questions related to Telerik Data Access feel free to post at our forums again.

    Kristian Nikolov
    OpenAccess ORM is now Telerik Data Access. For more information on the new names, please, check out the Telerik Product Map.
Back to Top