Does LINQ's ExecuteCommand provide protection from SQL injection attacks?
https://stackoverflow.com/questions/157924
-
03-07-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I've got a situation where I need to use LINQ's ExecuteCommand method to run an insert.
Something like (simplified for purposes of this question):
object[] oParams = { Guid.NewGuid(), rec.WebMethodID };
TransLogDataContext.ExecuteCommand (
"INSERT INTO dbo.Transaction_Log (ID, WebMethodID) VALUES ({0}, {1})",
oParams);
The question is if this is SQL injection proof in the same way parameterized queries are?
Solution
Did some research, and I found this:
In my simple testing, it looks like the parameters passed in the ExecuteQuery and ExecuteCommand methods are automatically SQL encoded based on the value being supplied. So if you pass in a string with a ' character, it will automatically SQL escape it to ''. I believe a similar policy is used for other data types like DateTimes, Decimals, etc.
http://weblogs.asp.net/scottgu/archive/2007/08/27/linq-to-sql-part-8-executing-custom-sql-expressions.aspx
(You have scroll way down to find it)
This seems a little odd to me - most other .Net tools know better than to "SQL escape" anything; they use real query parameters instead.
OTHER TIPS
LINQ to SQL uses exec_sql with parameters, which is much safer than concatenating into the ad-hoc query string. It should be as safe againt SQL injection as using SqlCommand and its Paramaters collection (in fact, it's probably what LINQ to SQL uses internally). Then again, how safe is that?
