Suppose I have a DB full of health records and an ASP.NET MVC application. Suppose someone uses the URL "/api/medicalRecords?$filter=id gt 0" to call upon an Ajax request. This seems to me that it is open for SQL injection - just like 10-15 years ago...
Does this mean that it is by standard open to SQL injection, or does it depend on server side (I use IQueryable result and entity framework 4)?
I know that authentication mechanism is necessary - but for the sake of this question, suppose no authentication mechanism is available...
Try to read this blog post, which provides very detail information about OData and SQL Injection:
http://kscottmorrison.com/tag/sql-injection/
...OData, of course, is the data source connection, so injection isn’t an issue—just getting a hold of it in the first place is enough. So what is critically important with OData is to strictly manage what this connection is capable of doing...