EntitySQL and SQL injection

Question

EntitySQL and SQL injection

754 Views Asked by sra At 07 April 2025 at 00:29

I've got the following query string

"SELECT VALUE entity FROM Entities AS entity WHERE entity.Client_id
= 0 && entity.Name LIKE @searchvalue ORDER BY @sorting SKIP @skip LIMIT @limit"

with the following param replacement

query.Parameters.Add(new ObjectParameter("skip", start));
query.Parameters.Add(new ObjectParameter("limit", limit));
query.Parameters.Add(new ObjectParameter("searchvalue", searchValue + "%"));
query.Parameters.Add(new ObjectParameter("sorting", sortField + " " + sortDirection.ToUpper()));

But I always end up in the exception:

The key expression 'ORDER BY' must have at least one reference to the immediate input scope. Near ORDER BY clause item

I guess this happends cause query.Parameters.Add(...) wraps all in quotes? I also read this but for what benefit then do I need query.Parameters.Add(...) if nothing can happens? OK, the attacker may not start a new query but I guess he can manipulate the current?

Original Q&A

There are 3 best solutions below

jerjer On 31 January 2012 at 08:15

Have tried removing the quotes @searchvalue, since you are using a parameterized query IMO, quotes are no longer required.

Instead of:

"SELECT VALUE entity FROM Entities AS entity WHERE entity.Client_id
= 0 && entity.Name LIKE '@searchvalue' ORDER BY @sorting SKIP @skip LIMIT @limit"

Try this:

"SELECT VALUE entity FROM Entities AS entity WHERE entity.Client_id
= 0 && entity.Name LIKE @searchvalue ORDER BY @sorting SKIP @skip LIMIT @limit"

Vitaliy Kalinin On 31 January 2012 at 09:00

You cant use parameters as replacement of column names.

**Tigran** · Accepted Answer

Guess: The first thing I would try it to do something like this

SELECT VALUE entity FROM Entities AS entity WHERE entity.Client_id = 0 && entity.Name LIKE '@searchvalue' ORDER BY @sorting @sortorder SKIP @skip LIMIT @limit

query.Parameters.Add(new ObjectParameter("searchvalue", searchValue + "%"));
query.Parameters.Add(new ObjectParameter("sorting",   sortField ));
query.Parameters.Add(new ObjectParameter("sortorder", sortDirection));

In other words: move sorting order to seprated parameter.

EDIT

If this doesn't work use Query Builder to construct a query.

Look here for example.

Good luck.

EntitySQL and SQL injection

There are 3 best solutions below

Related Questions in C#

Related Questions in ENTITY-FRAMEWORK

Related Questions in SQL-INJECTION

Related Questions in ENTITY-SQL

Trending Questions

Popular # Hahtags

Popular Questions