Reputation: 14159
What is the difference between in-line SQL queries and queries fired by Entity Framework?
I am new to Entity Framework.
I am thinking what is the difference between writing in-line SQL queries and Entity Framework. If in-line SQL queries are prone to SQL injection attacks, how is Entity Framework safer?
The only difference I see is that we interact with Entity Framework using LINQ, but internally Entity Framework classes interact with the database in some language. How is it safer when compared to in-line queries?
Upvotes: 0
Views: 320
Answers (1)
Reputation: 2763
Entity Framework has built-in functionality for parameterizing queries, preventing injection of characters like single quotes which are important in SQL injection. Inline SQL can be safe too as long as you parameterize and build your queries the correct way using ADO.NET or a similar framework.
In the end, if you don't sanitize input and parameterize your queries, inline SQL can be very bad. Entity Framework just does all this for you behind the scenes, making it inherently safer.
Upvotes: 2
Related Questions
- Entity Framework two types of queries
- Difference between RDBMS and ORDBMS
- DbContext.Database.SqlQuery vs ObjectContext.ExecuteFunction
- What is the difference between ExecuteSqlCommand vs SqlQuery ? when doing a db access?
- Entity Framework performance vs Traditional ADO.Net
- Entity framework database differences
- is there a real difference between db.foo.Where and db.Database.SqlQuery in EntityFramework
- Relationship between LINQ to SQL and Entity Framework
- Difference between Native SQL and Entity SQL
- Native Queries and Stored Procedures vs ORMs