The “query language” of SQL Data Services is basically a LINQ statement as a string, e.g.:
from e in entities where e[“username”] == “{0}” && e[“password”] == “{1}” select e
Do you see a problem here?
Of course string concatenation combined with “no-schema” flex entities allows all kinds of injections. Marcus and I did some tests, e.g. try entering the following username for the above statement:
foo” || “” == “
This will select all users. I am sure there are other tricks, too.
So again – be aware that you have to validate all of your input! Some things you can do here include:
- run a regular expression over your inputs to make sure it only contains legal characters
- escape character like quotation marks and back slashes
- use e.g. the Single() LINQ operator on the returned entity list when you know that only one entity should be returned (otherwise something must be wrong).
HTH
leastprivilege.com 