Is LINQ to SQL InsertOnSubmit() subject to SQL Injection Attack?
-
10-07-2019 - |
Question
I have code like this:
var newMsg = new Msg
{
Var1 = var1,
Var2 = var2
};
using (AppDataContext appDataContext = new AppDataContext(ConnectionString))
{
appDataContext.CClass.InsertOnSubmit(newMsg);
appDataContext.SubmitChanges();
}
After reading this post I believe that the same logic applies.
Does anyone think that this is subject to SQL Injection Attack?
Solution
The second answer in the post you're referencing says it:
LINQ to SQL uses execute_sql with parameters.
It does not concatenate property values into a one big INSERT ... VALUES('...', '...')
OTHER TIPS
The underlying operation of the DataContext is via the SqlCommand which uses paramatised SQL.
So your insert statement will look like this:
INSERT INTO [MSG] [Var1] = @p1, [Var2] = @p2
No, but you should be validating user data anyhow.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow