tags:

views:

37

answers:

2

If I want to get a user that has the email address of '[email protected]', how do I pass that as a parameter in linq?

ie.:

var a = from u in Users
        where u.Email = @email
        Select u;

So this would be used in my method:

public static GetuserByEmail(string email)

Do I just pass in the variable or?

+6  A: 

Linq To SQL automatically handles SQL injection protection for you. It is safe to pass the parameter in as is from the user if you're worried about SQL Injection.

It automatically parametrizes the parameters you pass in and sanitizes them.

If you're worried about XSS, then you can Html.Encode() the output to make sure it is passed back to the UI safely.

public User GetUserByEmail(string email) 
{
    User a = (from u in db.Users
        where u.Email == email
        select u).Single();
    return a;
}

I'm not in front of an IDE at present, so that code may not be syntatically correct all the way through.

George Stocker
It does the SQL injection for you? That doesn't sound good :) It might be better to say that LinqToSql creates parametrised queries that avoid the dangers of SQL injection.
Dan Diplo
I didn't say 'does', I said 'handles'.
George Stocker
His statement made sense to me. :-/
Jaxidian
A: 
var a = from u in Users
    where u.Email == email
    select u;

Will perfectly work (LINQ to SQL will generate a parametrized SQL query)

PS : you need two '=' for the equals operator

Olivier PAYEN