tags:

views:

1360

answers:

3
Q: 

Is LINQ to SQL InsertOnSubmit() subject to SQL Injection Attack?

I have code like this:

var newMsg = new Msg
{
    Var1 = var1,
    Var2 = var2
};

using (AppDataContext appDataContext = new AppDataContext(ConnectionString))
{
    appDataContext.CClass.InsertOnSubmit(newMsg);
    appDataContext.SubmitChanges();
}

After reading this post I believe that the same logic applies.

Does anyone think that this is subject to SQL Injection Attack?

+4  A: 

The second answer in the post you're referencing says it:

LINQ to SQL uses *execute_sql* with parameters.

It does not concatenate property values into a one big INSERT ... VALUES('...', '...')

liggett78  2008-10-12 22:04:12
I'm not sure that it does... it is just a command that is parameterised. execute_sql is used to do the same from *within* TSQL.
Marc Gravell  2008-10-13 04:12:28
User input that is parameterised is safe from injection. Injection attacks only apply when user input is concatenated.
 2009-05-21 18:03:04
+1  A: 

No, but you should be validating user data anyhow.

Will  2008-10-12 22:53:40
+3  A: 

The underlying operation of the DataContext is via the SqlCommand which uses paramatised SQL.

So your insert statement will look like this:

INSERT INTO [MSG] [Var1] = @p1, [Var2] = @p2
Slace  2008-10-12 23:39:55

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?