SQL Injection in LINQ Object Query

Question

Hi, I have written following code that works fine. Just wanted to know if this is safe to use? Can this cause SQL Injection if IdXValues are user inputs or comes from browser?

string condition = "it." + setting.FirstID + " = @id1 AND it." + setting.SecondID + " = @id2 AND it.ThirdID = @id3";
                System.Data.Entity.Core.Objects.ObjectQuery<Partner> query = partners.Where(condition,
                            new System.Data.Entity.Core.Objects.ObjectParameter("id1", this.Id1Value),
                            new System.Data.Entity.Core.Objects.ObjectParameter("id2", this.Id2Value),
                            new System.Data.Entity.Core.Objects.ObjectParameter("id3", this.Id3Value));

                var result = query.Execute(System.Data.Entity.Core.Objects.MergeOption.NoTracking).ToList();

Answer 1

It has a whole section about EF and SQL Injection attacks.

http://msdn.microsoft.com/en-us/library/vstudio/cc716760(v=vs.100).aspx

Answer 2

Thanks darnold924.

I did read this article before posting this question but i am requiring help in interpreting it for the above scenario. 

On one hand i have constructed the where condition dynamically as a SQL string but on other hand the query is parameterized. In this scenario, is SQL injection possible?

 

Answer 3

The fact that you are using Linq kind of mitigates the SQL Injection attack.

http://www.devx.com/dotnet/Article/34653

The fact that you are using parameters kind of mitigates the attack, just like using them in inline T-SQL and sprocs. 

You can always validate the data inputted by a user and prevent SQL Injection attacks that way too.