Udostępnij za pośrednictwem


Security Considerations (EntityDataSource)

There are security considerations specific to the EntityDataSource control in addition to those of developing, deploying, and running Entity Framework applications. In addition to information in this topic, you should also follow recommendations for creating secure .NET Framework applications. For more information see, Security Considerations (Entity Framework).

General Security Considerations

The following list describes security considerations specific to the EntityDataSource control.

  • Privilege level
    The component opens a connection using the connection string supplied. The privilege level of the connection depends on the connection and server configuration.

  • Access control
    Pages that can produce queries of significant cost should be safeguarded under access control.

  • Unverified input
    Unverified input of query fragments or complete queries should not be exposed to the client side. Applications should always use parameters as an input for queries.

  • Thread safety
    The component is not thread safe because ASP.NET does not require it.

  • Exception messages
    The Entity Framework exposes fragments of metadata information in exception messages. The EntityDataSource control does not try to safeguard metadata from being exposed this way.

  • Validation of post-back calls
    By default, ASP.NET validates the possible arguments for post-back calls on the server. Turning off this feature may severely compromise security of any Web application.

  • Stack trace
    By default, ASP.NET does not show the stack trace of exceptions in the error page. Turning on this feature may lead to disclosure of some metadata details, as some exception messages may contain fragments of metadata.

See Also

Other Resources

Securing ADO.NET Applications

EntityDataSource Web Server Control Overview

Data Selection using EntityDataSource

ADO.NET Entity Framework

Security Considerations (Entity Framework)

Change History

Date

History

Reason

July 2008

Added topic.

SP1 feature change.