Does OrmLite automatically prevent SQL injection within its functionality or does the developer need to take extra steps within their code for added security? Thanks in advance.
No SQL Injection is possible with the typed API’s which always use DB params or are otherwise escaped.
Also most API’s that let you pass in raw SQL string Fragments are also validated against illegal tokens. The ones that aren’t validated start with Unsafe*, e.g. q.UnsafeSelect().
The only API’s where SQL Injection is possible is the API’s when you’re constructing the SQL yourself and you’re using the raw Custom SQL API’s, e.g:
int result = db.SqlScalar<int>(
"SELCT COUNT(*) FROM Person WHERE Name = '" + name + "'");
When you need to use Custom SQL you should use db parameters instead, e.g:
int result = db.SqlScalar<int>(
"SELCT COUNT(*) FROM Person WHERE Name = @name", { name });
But you only need to do this for complex SQL since you can use Typed API for most queries which use DB params under the hood, e.g:
var q = db.From<Person>()
.Where(x => x.Name == name)
.Select(Sql.Count("*"));
int result = db.SqlScalar<int>(q);
1 Like
That’s an excellent explanation. It is much appreciated!