Reputation: 37460
LINQ to Entities and SQL Injection
I've seen a couple of conflicting articles about whether or not L2E is susceptible to SQL injection.
From MSDN:
Although query composition is possible in LINQ to Entities, it is performed through the object model API. Unlike Entity SQL queries, LINQ to Entities queries are not composed by using string manipulation or concatenation, and they are not susceptible to traditional SQL injection attacks.
Does that imply that there are "non-traditional" attacks that may work? This article has one example of a non-parameterized query - is it safe to assume that if you pass in user-supplied data via a variable it will be parameterized?
If I do:
from foo in ctx.Bar where foo.Field = userSuppliedString select foo;
am I safe?
Upvotes: 10
Views: 2110
Answers (2)
Reputation: 12077
Good luck trying to get anyone to tell you that a certain piece of code does not have a certain security vulnerability. That being said, I personally would not be concerned about SQL Injection attacks through a LINQ query vector (unless I was doing something very bizarre behind-the-scenes).
Upvotes: 3
Reputation: 126547
In your example you're using a variable (userSuppliedString), so it will be parameterized.
If you had a literal value in your code:
from foo in ctx.Bar where foo.Field == "Hi" select foo;
...then EF 1 won't parameterize it, but there's also zero danger of SQL injection since it's a literal.
Upvotes: 9
Related Questions
- C# Linq to SQL is contains safe for sql injections
- Entity Framework + sql injection
- Will using LINQ to SQL help prevent SQL injection
- SQL injection concerns
- Does LINQ To SQL C# eliminate any possibility of a SQL injection attack?
- EntitySQL and SQL injection
- Is this LINQ statment vulnerable to SQL injection?
- Linq to SQL and SQL Injection
- Linq to sql and sql injection attacks
- Entity Framework, LinqToSQL and sql injection