Entity Framework, LinqToSQL and sql injection

Question

Is it possible for a project using entirely LinqToSQL or Entity Framewok to suffer from SQL Injection.

I think that probably not because the SQL that the ORM generates should be sql-injection free. But I'm not sure.

Answer 1

When you use those frameworks as intended, i.e. the entities/tables directly, then no. All string comparisons (i.e. where name = 'smith' ) are parameterized.

The only vulnerable spots are:

• any string can be executed directly against the context. dbContext.ExecuteQuery(); with any kind of destructive string.

• a stored procedure executing dynamic SQL using any parameters given

Answer 2

"It depends".

Plain LINQ queries against L2S or EF entities are injection safe, but you could always call a stored procedure or function that is not injection safe.

That would clearly be an edge case, but yes it happens that people write SPs/functions that are open to injection (composing SQL-in-strings with parameter values inside the proc).