How to use ORM correctly to prevent SQL injection?

Question

I read here that using ORM (like nHibernate) does not necessarily prevent SQL injection; for example, if you keep creating dynamic queries using your ORM framework you are still vulnerable.

Fine, then what is the proper use of ORM to avoid all types of SQL injection? Should we use Parameterized Queries using our ORM framework? Does something like nHibernate escape special SQL characters like single quote so developers do not write a piece of code like this:

private string SafeSqlLiteral(string inputSQL) { return inputSQL.Replace("'", "''"); }

Answer 1

Fine, then what is the proper use of ORM to avoid all types of SQL injection?

You don't.

ORM was not created to prevent SQL Injection. If you want to prevent SQL Injection - have a firm understanding of how SQL Injection works, and apply this knowledge to the code you write. This way - you will know the correct way to prevent it (including in cases that involve the use of dynamic SQL).

I haven't dug through NHibernate's source code so I can't tell you how they attempt to prevent SQL Injection (if you really care, I would suggest doing some digging on your own). If I had to bet - I would say they use parameterized SQL as this is the industry standard for preventing SQL Injection.

To prevent SQL Injection in dynamic sql you need to use parameterized queries, specifically sp_executesql.

Answer 2

It does not always prevent SQL injection, typical examples include second ordre injection in scripts or even stored procedures that uses read data from a table without parameterizing them or validationg the data.