Is it possible for a project using entirely LinqToSQL or Entity Framewok to suffer from SQL Injection.
I think that probably not because the SQL that the ORM generates should be sql-injection free. But I'm not sure.
A:
"It depends".
Plain LINQ queries against L2S or EF entities are injection safe, but you could always call a stored procedure or function that is not injection safe.
That would clearly be an edge case, but yes it happens that people write SPs/functions that are open to injection (composing SQL-in-strings with parameter values inside the proc).
KristoferA - Huagati.com
2010-08-13 04:23:06
+4
A:
When you use those frameworks as intended, i.e. the entities/tables directly, then no. All string comparisons (i.e. where name = 'smith' ) are parameterized.
The only vulnerable spots are:
any string can be executed directly against the context.
dbContext.ExecuteQuery();with any kind of destructive string.a stored procedure executing dynamic SQL using any parameters given
p.campbell
2010-08-13 04:29:47