SQL Injection in LINQ Object Query RRS feed

  • Question

  • Hi, I have written following code that works fine. Just wanted to know if this is safe to use? Can this cause SQL Injection if IdXValues are user inputs or comes from browser?

    string condition = "it." + setting.FirstID + " = @id1 AND it." + setting.SecondID + " = @id2 AND it.ThirdID = @id3";
                    System.Data.Entity.Core.Objects.ObjectQuery<Partner> query = partners.Where(condition,
                                new System.Data.Entity.Core.Objects.ObjectParameter("id1", this.Id1Value),
                                new System.Data.Entity.Core.Objects.ObjectParameter("id2", this.Id2Value),
                                new System.Data.Entity.Core.Objects.ObjectParameter("id3", this.Id3Value));

                    var result = query.Execute(System.Data.Entity.Core.Objects.MergeOption.NoTracking).ToList();

    Sunday, November 30, 2014 2:29 PM

All replies