Menu
I've seen a couple of conflicting articles about whether or not L2E is susceptible to SQL injection.
From MSDN:
Although query composition is possible in LINQ to Entities, it is performed through the object model API. Unlike Entity SQL queries, LINQ to Entities queries are not composed by using string manipulation or concatenation, and they are not susceptible to traditional SQL injection attacks.
Does that imply that there are "non-traditional" attacks that may work? This article has one example of a non-parameterized query - is it safe to assume that if you pass in user-supplied data via a variable it will be parameterized?
If I do:
from foo in ctx.Bar where foo.Field = userSuppliedString select foo;
am I safe?
334
In your example you're using a variable (userSuppliedString), so it will be parameterized.
If you had a literal value in your code:
from foo in ctx.Bar where foo.Field == "Hi" select foo;
...then EF 1 won't parameterize it, but there's also zero danger of SQL injection since it's a literal.
191
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
