Entity Framework, LinqToSQL and SQL Injection

Question

Entity Framework, LinqToSQL and SQL Injection

Is it possible for a project that uses full LinqToSQL or Entity Framewok to suffer from SQL Injection.

I think that probably not because the SQL generated by ORM should be without sql injections. But I'm not sure.

+5

sql-injection linq-to-sql entity-framework

Carlos Muñoz Aug 13 '10 at 4:11

source share

2 answers

"It depends".

Regular LINQ queries for L2S or EF objects are safe for injection, but you can always call a stored procedure or function that is not safe for injection.

This will obviously be a marginal case, but yes, it happens that people write SP / functions that are open for injection (compiling SQL-in-lines with parameter values inside proc).

+3

KristoferA Aug 13 '10 at 4:23

source share

p.campbell · Accepted Answer · 2010-08-13 04:29

When you use these frameworks as intended, i.e. entities / tables directly, then no. All string mappings (i.e. where name = 'smith' ) are parameterized.

The only vulnerabilities are:

any line can be executed directly against the context. dbContext.ExecuteQuery(); with any destructive string.
stored procedure that executes dynamic SQL using any given parameters

Entity Framework, LinqToSQL and SQL Injection

More articles: