Security Considerations (EntityDataSource)
There are security considerations specific to the EntityDataSource control in addition to those of developing, deploying, and running Entity Framework applications. In addition to information in this topic, you should also follow recommendations for creating secure .NET Framework applications. For more information see, Security Considerations (Entity Framework).
General Security Considerations
The following list describes security considerations specific to the EntityDataSource control.
Privilege level
The component opens a connection using the connection string supplied. The privilege level of the connection depends on the connection and server configuration.Access control
Pages that can produce queries of significant cost should be safeguarded under access control.Unverified input
Unverified input of query fragments or complete queries should not be exposed to the client side. Applications should always use parameters as an input for queries.Thread safety
The component is not thread safe because ASP.NET does not require it.Exception messages
The Entity Framework exposes fragments of metadata information in exception messages. The EntityDataSource control does not try to safeguard metadata from being exposed this way.Validation of post-back calls
By default, ASP.NET validates the possible arguments for post-back calls on the server. Turning off this feature may severely compromise security of any Web application.Stack trace
By default, ASP.NET does not show the stack trace of exceptions in the error page. Turning on this feature may lead to disclosure of some metadata details, as some exception messages may contain fragments of metadata.
See Also
Other Resources
EntityDataSource Web Server Control Overview
Data Selection using EntityDataSource
Security Considerations (Entity Framework)
Change History
Date |
History |
Reason |
|---|---|---|
|
July 2008 |
Added topic. |
SP1 feature change. |