Is LINQ to SQL InsertOnSubmit() subject to SQL Injection Attack?

Question

I have code like this:

var newMsg = new Msg
{
    Var1 = var1,
    Var2 = var2
};

using (AppDataContext appDataContext = new AppDataContext(ConnectionString))
{
    appDataContext.CClass.InsertOnSubmit(newMsg);
    appDataContext.SubmitChanges();
}

After reading this post I believe that the same logic applies.

Does anyone think that this is subject to SQL Injection Attack?

Answer 1

The second answer in the post you're referencing says it:

LINQ to SQL uses execute_sql with parameters.

It does not concatenate property values into a one big INSERT ... VALUES('...', '...')

Answer 2

The underlying operation of the DataContext is via the SqlCommand which uses paramatised SQL.

So your insert statement will look like this:

INSERT INTO [MSG] [Var1] = @p1, [Var2] = @p2

Answer 3

No, but you should be validating user data anyhow.