Perhaps read the article here that discusses how SQL Injection (which I suppose should be the main security issue here) is handled in LINQ scripts.
There's also a good article on Microsoft security considerations for EF. It is worth a read for those who develop these tools!
[Edit] As for your last comment, you can use queries similar to the ones already on this page. To condensate a bit: if your database is normalized to the extent that RecordId is a unique primary key, you can bypass joins to make a query that reads a little better:
var targetRecords = from userRecords in MyDC.UserRecords where userRecords.UserTable.UserID == TheUserID && userRecords.RecordsTable.RecordID == TheRecord.RecordID select userRecords; var targetRecordsResult = targetRecords.SingleOrDefault();
I have separated the query from this “var” result here to indicate that “targetRecords” is NOT evaluated until you call SingleOrDefault on it to assign targetRecordsResult. You can, of course, wrap this in one statement if you want.
If, as already mentioned, your RecordID is a unique Primary Key, you will either receive the corresponding report or null. Please note: if this is not so, that is, more than on the record, it can have the same identifier, then a call to SingleOrDefault can fail. If your database is designed this way, you will have to use a query similar to the one specified by Anand. This is a bit more details, but ANY post with the corresponding identifier for this particular user will be returned to you.
As for security, note that your SQL statement will be compiled containing UserID, which will make it very difficult to intervene. Therefore, I want to say that in this case, the scope and impact on UserID is your main problem. If, as you stated, the user (and any potential ill-fated user) does not have access to the variable (through the influence of property, etc.), then this should be more than suitable for your needs.