I've seen a couple of conflicting articles about whether or not L2E is susceptible to SQL injection.
From MSDN:
Although query composition is possible in LINQ to Entities,
it is performed through the object model API. Unlike Entity SQL queries,
LINQ to Entities queries are not composed by using string manipulation
or concatenation, and they are not susceptible to traditional SQL
injection attacks.
Does that imply that there are "non-traditional" attacks that may work? This article has one example of a non-parameterized query - is it safe to assume that if you pass in user-supplied data via a variable it will be parameterized?
If I do:
from foo in ctx.Bar where foo.Field = userSuppliedString select foo;
am I safe?