Menu
I've got a situation where I need to use LINQ's ExecuteCommand method to run an insert.
Something like (simplified for purposes of this question):
object[] oParams = { Guid.NewGuid(), rec.WebMethodID };
TransLogDataContext.ExecuteCommand (
"INSERT INTO dbo.Transaction_Log (ID, WebMethodID) VALUES ({0}, {1})",
oParams);
The question is if this is SQL injection proof in the same way parameterized queries are?
607
Did some research, and I found this:
In my simple testing, it looks like the parameters passed in the ExecuteQuery and ExecuteCommand methods are automatically SQL encoded based on the value being supplied. So if you pass in a string with a ' character, it will automatically SQL escape it to ''. I believe a similar policy is used for other data types like DateTimes, Decimals, etc.
http://weblogs.asp.net/scottgu/archive/2007/08/27/linq-to-sql-part-8-executing-custom-sql-expressions.aspx
(You have scroll way down to find it)
This seems a little odd to me - most other .Net tools know better than to "SQL escape" anything; they use real query parameters instead.
135
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
