LINQ to Entities and SQL Injection

Question

I've seen a couple of conflicting articles about whether or not L2E is susceptible to SQL injection.

From MSDN:

Although query composition is possible in LINQ to Entities, 
it is performed through the object model API. Unlike Entity SQL queries, 
LINQ to Entities queries are not composed by using string manipulation 
or concatenation, and they are not susceptible to traditional SQL
injection attacks.

Does that imply that there are "non-traditional" attacks that may work? This article has one example of a non-parameterized query - is it safe to assume that if you pass in user-supplied data via a variable it will be parameterized?

If I do:

from foo in ctx.Bar where foo.Field = userSuppliedString select foo;

am I safe?

Answer 1

In your example you're using a variable (userSuppliedString), so it will be parameterized.

If you had a literal value in your code:

from foo in ctx.Bar where foo.Field == "Hi" select foo;

...then EF 1 won't parameterize it, but there's also zero danger of SQL injection since it's a literal.

Answer 2

Good luck trying to get anyone to tell you that a certain piece of code does not have a certain security vulnerability. That being said, I personally would not be concerned about SQL Injection attacks through a LINQ query vector (unless I was doing something very bizarre behind-the-scenes).