How can I prevent parameter tampering in my code below?
var MyTest = await _context.MyTable.Where(x => x.ID == EmployeeID).ToListAsync();
How can I prevent parameter tampering in my code below?
var MyTest = await _context.MyTable.Where(x => x.ID == EmployeeID).ToListAsync();
I assume you are referring to the EmployeeID parameter. Unfortunately, you did not share any code the populates the variable or shows how the variable is passed.
If you are worried about the LINQ query, the query that's generated is a parameter query. The parameter tampering vulnerability would occur else where in your code. For example, user input.
You can create a class like the following
public class Integer
{
public int Id { get; init; }
public Integer(int id)
{
Id = id;
}
}
Pass it to a method which can use it but not alter Id property

Thanks karenpayneoregon, so the value of EmployeeID is what I have to pass in into the Results method?
This is my code:
var MyTest = await _context.MyTable.Where(x => x.ID == EmployeeID).ToListAsync();
Yes, and you can name the class and or property as you see fit e.g.
public class Integer
{
public int EmployeeID { get; init; }
public Integer(int employeeId)
{
EmployeeID = employeeId;
}
}
Or
public class EmployeeData
{
public int Id { get; init; }
public EmployeeData(int employeeId)
{
Id = employeeId;
}
}
This is a .Net question.
.Net support is on stackoverflow. I suggest you post your question here:
21 people are following this question.