Dapper and SQL Injections

by

How does Dapper help protect against SQL injections?

It makes it really, really easy to do fully parameterized data access, without ever needing to either concatenate input. In particular, because you don’t need to jump through lots of “add parameter, set the parameter type, check for null because ADO.NET has sucky null-handling, rinse/repeat for 20 parameters”, by making parameter handling stupidly convenient. It also makes turning rows into objects really easy, avoiding the temptation to use DataTable… everyone wins.

From comments:

One more…what does dapper actually help do then?

To answer, let’s take the example from marc_s’s reply, and write it the old way, assuming all we have to start with is connection. This is then:

List<Dog> dogs = new List<Dog>();
using(var cmd = connection.CreateCommand()) {
    cmd.CommandText = "select Age = @Age, Id = @Id";
    cmd.Parameters.AddWithValue("Age", DBNull.Value);
    cmd.Parameters.AddWithValue("Id", guid);
    using(var reader = cmd.ExecuteReader()) {
        while(reader.Read()) {
            int age = reader.ReadInt32("Age");
            int id = reader.ReadInt32("Id");
            dogs.Add(new Dog { Age = age, Id = id });
        }
        while(reader.NextResult()) {}
    }
}

except I’ve over-simplfied grossly, as it also deals with a wide range of issues such as:

  • null handling of parameters
  • null handling of result columns
  • using the ordinal column indices
  • adapting to structural changes of the underlying table and type
  • data conversion of result columns (between various primitives, strings, enums, etc)
  • special handling of the oh-so-common “in this list” scenario
  • for “execute”, special handling of the “apply this separately to a list of inputs”
  • avoiding silly typos
  • reducing code maintenance
  • handling multiple grids
  • handling multiple objects returned horizontally in a single grid
  • working with arbitrary ADO.NET providers (hint: AddWithValue rarely exists)
    • including specific support for things like Oracle, which needs additional configuration
    • plays nicely with ADO.NET decoratos such as “mini-profiler”
  • inbuilt support for both buffered (suitable for small-to-moderate data; minimises command duration) and non-bufferesd (suitable for large data; minimised memory usage) accesss
  • optimized by people who care about performance and know “quite a bit” about both data-access and meta-programming
  • allows you to use your choice of POCO / DTO / anon-type / whatever for both the parameter and output
  • allows use of either dynamic (for multi-column) or primitives etc (for single column) when the output doesn’t warrant generation a POCO / DTO
  • avoid the overhead of complex fully-typed ORMs like EF
  • avoid the overhead of weak-typed layers like DataTable
  • opening and closing connections as-necessary
  • and a vast range of other common gotchas

More Related Contents:

  1. Is there a way to call a stored procedure with Dapper?
  2. Which method performs better: .Any() vs .Count() > 0?
  3. What is the difference between IQueryable and IEnumerable?
  4. WCF – How to Increase Message Size Quota
  5. Wait until file is unlocked in .NET
  6. When creating a new GUI, is WPF the preferred choice over Windows Forms? [closed]
  7. LINQ on the .NET 2.0 Runtime
  8. SELECT * FROM X WHERE id IN (…) with Dapper ORM
  9. Is there a memory limit for a single .NET process
  10. Does Dapper support SQL 2008 Table-Valued Parameters?
  11. Can I use the task parallel library in a .Net 3.5 project?
  12. How can you do paging with NHibernate?
  13. .net ORM Comparison [closed]
  14. Why doesn’t Dapper dot net open and close the connection itself?
  15. When creating a new GUI, is WPF the preferred choice over Windows Forms? [closed]
  16. Entity Framework is Too Slow. What are my options? [closed]
  17. Troubleshooting .NET “Fatal Execution Engine Error”
  18. Best free ORM tools to use with .NET 2.0/3.5 [closed]
  19. Binding a GridView to a Dynamic or ExpandoObject object
  20. How to begin WPF development?
  21. Does the .Net Framework 4.0 Installer include the .Net Framework 3.5?
  22. Using Json.NET converters to deserialize properties
  23. Strange issue with System.Net.Http 4.2.0.0 not found
  24. What is the difference between List (of T) and Collection(of T)?
  25. System.BadImageFormatException: Could not load file or assembly (from installutil.exe)
  26. How to debug a stackoverflowexception in .NET
  27. Asymptotic complexity of .NET collection classes
  28. Best practices/guidance for maintaining assembly version numbers
  29. When to use Windows Workflow Foundation? [closed]
  30. Maximum Memory a .NET process can allocate

Leave a Comment