I'm currently doing a project with C# and LINQ-TO-SQL. This project has security as a high priority, so obviously I want to prevent SQL-Injections. I googled on the matter, but it's not turning up anything useful. Microsoft's own FAQ told me that Injections would be no problem, because of the way LINQ handles parameters, however seeing the code LINQ produces in a debugger and having read a bit about how LINQ-To-SQL just builds to SQL I'm not sure how this applies.
Does anyone have any literature/linkage that deals with this matter?
Advantages of Using LINQLINQ offers a common syntax for querying any type of data sources. Secondly, it binds the gap between relational and object-oriented approachs. LINQ expedites development time by catching errors at compile time and includes IntelliSense & Debugging support. LINQ expressions are Strongly Typed.
To avoid the risk of SQL injection, you should never combine user input with Entity SQL command text. Entity SQL queries accept parameters everywhere that literals are accepted. You should use parameterized queries instead of injecting literals from an external agent directly into the query.
In LINQ to SQL, the data model of a relational database is mapped to an object model expressed in the programming language of the developer. When the application runs, LINQ to SQL translates into SQL the language-integrated queries in the object model and sends them to the database for execution.
Linq to SQL automatically uses SQLParameters. User input is turned into parameter values instead of simply being a concatenated string (which is what allows for SQL injections). This happens serverside, IIRC, so you might just be seeing the client side code. If you want a bit more background and info, you can read the information here.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With