Query on Linq to SQL and SQLInjection RRS feed

  • Question


    Recently my website was under attack of SQL Injection. So i decided to rewrite my website on .net 3.5 platform using all latest features. I am using Linq to SQL to fetch and filter records   (  and i am beginer on the topic )


    ID = Integer.Parse(Request.QueryString("id"))


    Dim dal As New DataClassesDataContext()

    Dim tbl = From p In dal.codetable2s Where = ID Select p


    For Each c In tbl

      lblTopic.Text = c.Topic



    My Question:  Are Linq to SQL queries SQL Injection Proof ?





    Sunday, July 6, 2008 7:12 PM


All replies

  • Hi,


    A common attack vector on Web sites is SQL injection where the code concatenates strings that include user input. LINQ to SQL will eliminate that problem because all input will be parameterized, which treats the input as just a parameter and not part of the SQL statement.


    BTW, Microsoft has released some tools you can use to test your site against SQL injection.  Here are a couple recent articles:






    Sunday, July 6, 2008 9:10 PM
  • Whilst LINQ to SQL protects you from SQL injection in regular use by using parameterized queries it is still possible to fall foul if you find yourself building SQL strings that contain data instead of parameter specifiers no matter what technology you are using.


    Exercise special caution, or better yet avoid entirely:

    • Stored procedures that take data/parameters and concatenate it into strings for EXEC
    • DataContext.ExecuteCommand/ExecuteQuery with data in concatenated strings
    • Modifying command objects returned from DataContext.GetCommand

    This list is not exhaustive.



    Monday, July 7, 2008 11:20 PM