5

Is it possible for a project using entirely LinqToSQL or Entity Framewok to suffer from SQL Injection.

I think that probably not because the SQL that the ORM generates should be sql-injection free. But I'm not sure.

Carlos Muñoz
  • 17,397
  • 7
  • 55
  • 80
  • 1
    duplicate of http://stackoverflow.com/questions/473173/will-using-linq-to-sql-help-prevent-sql-injection – Nathan Koop Aug 13 '10 at 04:14
  • 1
    Not exactly duplicate as this also asks for Entity Framework. Also the answers are actually saying that there is a possibilty for attack under some circumstances – Carlos Muñoz Aug 13 '10 at 04:36

2 Answers2

10

When you use those frameworks as intended, i.e. the entities/tables directly, then no. All string comparisons (i.e. where name = 'smith' ) are parameterized.

The only vulnerable spots are:

  • any string can be executed directly against the context. dbContext.ExecuteQuery(); with any kind of destructive string.

  • a stored procedure executing dynamic SQL using any parameters given

p.campbell
  • 98,673
  • 67
  • 256
  • 322
  • 1
    In VS2012 out of the box. _ Where(a => a.column == "Quote'") _ did translate to a bound var _ @1=[Extent1].[column] _. And _ Where(a => a.column != "Quote'") _ translated to _ N'Quote'''=[Extent1].[column] _ – Arturo Hernandez Apr 08 '13 at 20:59
3

"It depends".

Plain LINQ queries against L2S or EF entities are injection safe, but you could always call a stored procedure or function that is not injection safe.

That would clearly be an edge case, but yes it happens that people write SPs/functions that are open to injection (composing SQL-in-strings with parameter values inside the proc).

KristoferA
  • 12,287
  • 1
  • 40
  • 62