Will using LINQ to SQL help prevent SQL injection

by

I’m setting up a public site and the first thing on my mind is SQL injection. I have some text fields I’m saving and am using linq to update/write to the database. Am I safe using linq?

This example is creating the user account. 

Data.MemberRegistrationDataContext context = new MemberRegistrationDataContext();
Data.tbl_Member_UserProfile profile = new tbl_Member_UserProfile();
profile.SSN = Convert.ToDecimal(Session["tempMemberSSN_Registration"]);
profile.UserName = userName;
profile.Password = password;
profile.EmailAddress = email;
profile.QuestionID = qID;
profile.QuestionResponse = securityAnswer;
profile.LastModDt = DateTime.Now;
profile.LastModBy = "web";
context.tbl_Member_UserProfiles.InsertOnSubmit(profile);
context.SubmitChanges();

This example is changing the password

   MemberRegistrationDataContext dc = new MemberRegistrationDataContext();
   var mProfileRecord = dc.tbl_Member_UserProfiles.Single(c => c.SSN == sSSN);
   mProfileRecord.Password = sNewPassword;
   dc.SubmitChanges();

Are these safe? Does LINQ parameterize the SQL it generates automatically?

Contents hide
Answers:
Method 1
Method 2
Method 3

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Yes, LINQ will help stop SQL injection.

LINQ to SQL passes all data to the
database via SQL parameters. So,
although the SQL query is composed
dynamically, the values are substitued
server side through parameters
safeguarding against the most common
cause of SQL injection attacks.

Also, see Eliminate SQL Injection Attacks Painlessly with LINQ for some info.

Method 2

You’re good to go. Linq does parameterize the data it sends to the database.

Use the Log property to check out what’s happening: dc.Log = Console.Out;

Method 3

It should because the SQL emitted uses named parameters which cannot be exploited to execute arbitrary SQL.


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x