ansaurus

Question

how to pass a parameter safely into linq to sql

Answer 1

+6 A:

Linq To SQL automatically handles SQL injection protection for you. It is safe to pass the parameter in as is from the user if you're worried about SQL Injection.

It automatically parametrizes the parameters you pass in and sanitizes them.

If you're worried about XSS, then you can Html.Encode() the output to make sure it is passed back to the UI safely.

public User GetUserByEmail(string email) 
{
    User a = (from u in db.Users
        where u.Email == email
        select u).Single();
    return a;
}

I'm not in front of an IDE at present, so that code may not be syntatically correct all the way through.

George Stocker 2010-04-08 19:56:54

It does the SQL injection for you? That doesn't sound good :) It might be better to say that LinqToSql creates parametrised queries that avoid the dangers of SQL injection.

Dan Diplo 2010-04-08 20:00:32

I didn't say 'does', I said 'handles'.

George Stocker 2010-04-08 20:01:42

His statement made sense to me. :-/

Jaxidian 2010-04-08 20:02:00

Answer 2

A:

var a = from u in Users
    where u.Email == email
    select u;

Will perfectly work (LINQ to SQL will generate a parametrized SQL query)

PS : you need two '=' for the equals operator

Olivier PAYEN 2010-04-08 19:58:46

ansaurus

tags:

views:

answers:

how to pass a parameter safely into linq to sql

related questions