Hi,

 Im making an c# asp.net webservice and using Linq for my DAL layer. I have an method with some parameters. I would like to use the parameter values in an SELECT query after the WHERE. Something like this:

public void GetItems(String filter)
{

string sql = "SELECT * FROM ConfigurationItems WHERE " + filter;

var items = context11.ExecuteQuery<ConfigurationItem>(sql);

}

But Its dangerous because it is possible to do injection on this method. Some queries to remove the whole table or database or something. How can I occur this?

Hi khalidelmeknesi

LINQ to SQL avoids such injection by using SqlParameter in queries. User input is turned into parameter values. This approach prevents malicious commands from being used from customer input.

So you statement would look something like: SELECT * FROM ConfigurationItems WHERE = @Filter

Hope this helps.

Dave

 But what is the differant between your code and my code?

Can an hacker still do something like this:

GetItems("id = 6; DROP TABLE ConfigurationItems; --'")

public void GetItems(String filter)
{

var items = context11.ExecuteQuery<ConfigurationItem>("SELECT * FROM ConfigurationItems WHERE  = @filter");

}

Hi

Check out this article.

Dave

 I have read this article, but I don't still know how to resolve the problem in my situation. Anybody?