做实体框架功能自动跳脱输入，以防止注射？

Do Entity Framework functions automatically escape input to protect against injection?

在我的SQL数据库层，我有一个存储过程，它接受一个为nvarchar（max）作为输入。 在我的EDMX，该存储过程映射到一个函数导入为方法名（字符串输入） 我是否需要手动逃脱输入，以防止注射还是实体框架自动执行此操作？

In my SQL DB layer, I have a SPROC that takes an nvarchar(max) as input. In my EDMX, the SPROC is mapped to a function import as methodName(string input) Do I need to manually escape the input to protect against injection or does Entity Framework do this automatically?

推荐答案

取决于...

EF不会逃脱输入为你，所以你是安全的在大多数情况下。

EF does escape inputs for you so you are safe in most cases.

但是，如果你创建动态SQL与输入的过程或调用另一个函数或过程的投入在里面，你仍然受到SQL注入攻击。

But if you create dynamic SQL inside the procedure with the inputs or calling another function or procedure with the inputs, you are still subject to SQL Injection attack.

要prevent SQL注入，一个人必须遵循的执行路径的最后一部分，并确保输入进行验证。

To prevent SQL Injection, one has to follow to the last part of execution path and make sure the inputs are validated.