This documentation is archived and is not being maintained.

Security Considerations (EntityDataSource)

Updated: July 2008

There are security considerations specific to the EntityDataSource control in addition to those of developing, deploying, and running Entity Framework applications. In addition to information in this topic, you should also follow recommendations for creating secure .NET Framework applications. For more information see, Security Considerations (Entity Framework).

The following list describes security considerations specific to the EntityDataSource control.

Privilege level

The component opens a connection using the connection string supplied. The privilege level of the connection depends on the connection and server configuration.

Access control

Pages that can produce queries of significant cost should be safeguarded under access control.

Unverified input

Unverified input of query fragments or complete queries should not be exposed to the client side. Applications should always use parameters as an input for queries.

Thread safety

The component is not thread safe because ASP.NET does not require it.

Exception messages

The Entity Framework exposes fragments of metadata information in exception messages. The EntityDataSource control does not try to safeguard metadata from being exposed this way.

Validation of post-back calls

By default, ASP.NET validates the possible arguments for post-back calls on the server. Turning off this feature may severely compromise security of any Web application.

Stack trace

By default, ASP.NET does not show the stack trace of exceptions in the error page. Turning on this feature may lead to disclosure of some metadata details, as some exception messages may contain fragments of metadata.




July 2008

Added topic.

SP1 feature change.