Yes it can, sql injection occurs when there is any type of string concatenation, if the stored procedure does string concatenation to execute a command inside, you would still be vulnerable
SQL injection with Entity Framework
-
29-06-2022 - |
Question
I am using Entity Framework 4.1 and use the following code for calling a stored procedure. Please advice me, whether this code can be attacked via SQL injection.
DbContext.Database.SqlQuery<TElement>("Name Of SP", params object[] parameters).
Solution
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow