ASP.NET

linq prevent sql injection RSS

2 replies

Last post Feb 23, 2013 01:22 PM by Rion Williams

‹ Previous Thread|Next Thread ›

- Reply
fr3d

Member

8 Points

36 Posts
linq prevent sql injection

Feb 23, 2013 01:12 PM|LINK
Hi,

I'm converting from sql query to ado.net EF linq query.I edited query according to ado.net ef linq.

My sql query :
```
string query = "SELECT * FROM user WHERE UEAddress = '" + userName +
                "' AND UPassword = '" + password + "'";
```
My linq query:
```
var query = from u in db.user                       
where u.UEAddress == username && u.UPassword == password                        
select u;
```
We already know that parameterized query prevent from sql injection when use with sql.
But how I prevent ado.net Ef query from sql injection?
Is it enough to ado.net linq query for prevent sql injection?
Do I have to change in my linq query for prevent sql injection?
- Reply
MetalAsp.Net

All-Star

112168 Points

18255 Posts

Moderator

Re: linq prevent sql injection

Feb 23, 2013 01:20 PM|LINK

EF uses parameterized queries as far as I know. so you should be good to go.

C# <--> VB.Net Translator | jQuery Widgets
- Reply
Rion William...

All-Star

27656 Points

4574 Posts

Re: linq prevent sql injection

Feb 23, 2013 01:22 PM|LINK

By default using LINQ to SQL will prevent any SQL Injection as it sends all of the values contained in the query through as parameters automatically. LINQ will substitute all of the values server-side to make them safe and help curb any attempts at SQL Injection.

Check out the following articles, which will shed some light on how this process is performed :

Eliminate SQL Injection Attacks Painlessly with LINQ

Is This LINQ Query Protected Against SQL Injection?

Blog | Twitter | Stack Overflow | LinkedIn
- Edited by Rion Williams on Feb 23, 2013 01:23 PM
- Edited by Rion Williams on Feb 23, 2013 01:32 PM
- Marked as answer by fr3d on Feb 23, 2013 01:41 PM