Will using LINQ to SQL help prevent SQL injection

c# asp.net linq linq-to-sql
30,568

Solution 1

Yes, LINQ will help stop SQL injection.

LINQ to SQL passes all data to the database via SQL parameters. So, although the SQL query is composed dynamically, the values are substitued server side through parameters safeguarding against the most common cause of SQL injection attacks.

Also, see Eliminate SQL Injection Attacks Painlessly with LINQ for some info.

Solution 2

You're good to go. Linq does parameterize the data it sends to the database.

Use the Log property to check out what's happening: dc.Log = Console.Out;

Solution 3

It should because the SQL emitted uses named parameters which cannot be exploited to execute arbitrary SQL.

Share:
30,568
Bill Martin
Author by

Bill Martin

Love to void warranties. I make a wicked bowl of cereal.

Updated on July 04, 2020

Comments

  • Bill Martin
    Bill Martin almost 4 years

    I'm setting up a public site and the first thing on my mind is SQL injection. I have some text fields I'm saving and am using linq to update/write to the database. Am I safe using linq?

    This example is creating the user account. 

    Data.MemberRegistrationDataContext context = new MemberRegistrationDataContext();
Data.tbl_Member_UserProfile profile = new tbl_Member_UserProfile();
profile.SSN = Convert.ToDecimal(Session["tempMemberSSN_Registration"]);
profile.UserName = userName;
profile.Password = password;
profile.EmailAddress = email;
profile.QuestionID = qID;
profile.QuestionResponse = securityAnswer;
profile.LastModDt = DateTime.Now;
profile.LastModBy = "web";
context.tbl_Member_UserProfiles.InsertOnSubmit(profile);
context.SubmitChanges();

    This example is changing the password

       MemberRegistrationDataContext dc = new MemberRegistrationDataContext();
   var mProfileRecord = dc.tbl_Member_UserProfiles.Single(c => c.SSN == sSSN);
   mProfileRecord.Password = sNewPassword;
   dc.SubmitChanges();

    Are these safe? Does LINQ parameterize the SQL it generates automatically?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to iterate over results of a linq-to-sql query result and append the results?
Joining two tables using LINQ
Most efficient way to update with LINQ to SQL
LinqDataSource - Can you limit the amount of records returned?
casting a tiny int from SQL server
Purpose of EF 6.x DbContext Generator option when adding a new data item in Visual Studio
LINQ to SQL Where Clause Optional Criteria
What's the correct way to fill a DropDownList using LINQ?
LINQ Query Except not working, List<long?> vs. List<long>
Value was either too large or too small for an Int16 ,when copy to data table