1

Possible Duplicate:
Will using LINQ to SQL help prevent SQL injection

I'm using LINQ to access a sql db. Is the following code safe?

 var addRec = (from p in db.5544
                          where p.ID == newAddID
                          select p).Single();

            addRec.Address1 = comAddTxt1.Text;                                                                             //create address record
            addRec.Address2 = comAddTxt2.Text;
            addRec.Address3 = comAddTxt3.Text;
            addRec.Address4 = comAddTxt4.Text;
            addRec.PostCode = pstCdeTxt.Text;
            addRec.Town = twnTxt.Text;
            addRec.County = cntyTxt.Text;
            addRec.Country = cntComBox.SelectedItem.Text;

            db.SubmitChanges();

Thanks,

Community
  • 1
  • 1
Steve McCall
  • 363
  • 3
  • 6
  • 12

3 Answers3

10

Yes, it is safe from SQL injection attacks.

No, it is potentially unsafe from other forms of attack, ie: Cross Site Scripting, etc, where relevant.

podiluska
  • 50,950
  • 7
  • 98
  • 104
1

To reduce the risks of XSS attacks you should HTMLEncode the data when retrieving from the database in web application.

tutts
  • 2,373
  • 2
  • 20
  • 24
  • ... if this is a web application – podiluska Jul 17 '12 at 07:59
  • ... if this is a web application ;) – tutts Jul 17 '12 at 08:00
  • 2
    I'd say the database should contain the actual plain text, not an encoding that's tied to a particular output format. You just get headaches if you ever want to support another format (e.g. PDF export or similar). Unless of course all the encoding for output takes a really long time in your application and you never need the plain text. But that's in most cases fairly unlikely. – Joey Jul 17 '12 at 08:00
  • I've always been under the impression that raw text shouldn't be allowed to be stored, mainly because in web development you have to reduce the risk of SQL injection and XSS attacks. – tutts Jul 17 '12 at 08:03
  • 1
    LINQ uses SqlParameters - these will sanitise and prevent injection attacks. – Alexander R Jul 17 '12 at 08:04
  • 1
    @rocky: That's the wrong impression. Sanitizing can only be performed when the intended **consumer** of the data is known. That's why you escape SQL arguments just before storing to SQL, and you encode HTML special chars just before outputting HTML. Doing this any earlier is simply misguided. Also, all the data we have shows that this is not a web app in any case. – Jon Jul 17 '12 at 08:08
  • This is a web app. So you think I shouldn't be htmlEncoding the user input for SQL? – Steve McCall Jul 17 '12 at 08:44
  • After doing a bit more reading on the subject the best practise would to be insert into the DB as raw text then HTMLEncode the output rather than the other way around as @Jon rightly said. I guess this puts an onus on the developer to remember to HTMLEncode the output for HTML apps, but it allows for non HTML applications to use the data without being bombarded by html safe characters. So I guess LINQ input in the DB, then HTMLEncode out will be safe :) - updated answer to reflect this for other readers not to misguide them. – tutts Jul 17 '12 at 09:11
1

I would suggest to try calling a stored procedure and sending in the values as parameters instead so it can provide parameter checking for you. For example, if you declare '@Address1' as a varchar(200) then the stored procedure won't execute if the parameter contain a sql statement instead.

You can also do checking against the fields before the time by maybe comparing it against a regex expression, but that might be a lot more effort and still not as secure as making use of a stored procedure.

Johanvw
  • 48
  • 8