I've got a situation where I need to use LINQ's ExecuteCommand method to run an insert.
Something like (simplified for purposes of this question):
object[] oParams = { Guid.NewGuid(), rec.WebMethodID };
TransLogDataContext.ExecuteCommand (
"INSERT INTO dbo.Transaction_Log (ID, WebMethodID) VALUES ({0}, {1})",
oParams);
The question is if this is SQL injection proof in the same way parameterized queries are?
Did some research, and I found this:
In my simple testing, it looks like the parameters passed in the ExecuteQuery and ExecuteCommand methods are automatically SQL encoded based on the value being supplied. So if you pass in a string with a ' character, it will automatically SQL escape it to ''. I believe a similar policy is used for other data types like DateTimes, Decimals, etc.
http://weblogs.asp.net/scottgu/archive/2007/08/27/linq-to-sql-part-8-executing-custom-sql-expressions.aspx
(You have scroll way down to find it)
This is just a random guy posting on the 'net, so you'd want to independently verify it before relying on it in a critical system.
LINQ to SQL uses *exec_sql* with parameters, which is much safer than concatenating into the ad-hoc query string. It should be as safe againt SQL injection as using SqlCommand and its Paramaters collection (in fact, it's probably what LINQ to SQL uses internally). Then again, how safe is that?