Pass variable as parameter to where clause in Linq

Question

User1624753842 posted

Hi All,

      How to pass one variable value as parameter to where clause in Linq? Like In ado.net we using parameter to avoid sql injection. Below i providing my code.

    SettingsManager manager = new SettingsManager();
    var timeZone = manager.GetTImeZone().Where(x => x.TimeZoneId == timeZoneId.ToString()).FirstOrDefault();

Answer 1

User-707554951 posted

Hi  Binumon003，

Code as below:

  int variable = 1; ;
            using (NorthWindEntities1 db = new Case_Test.NorthWindEntities1())
            {
                var pRequests = (from req in db.tblStudents
                                 where req.student_id == variable
                                 select req).ToList();
                var x = db.tblStudents.Where(w=>w.student_id== variable)                     
            }

As far as I know,LINQ will help stop SQL injection.

LINQ is not vulnerable to SQL injection.

By default using LINQ to SQL will prevent any SQL Injection as it sends all of the values contained in the query through as parameters automatically. LINQ will substitute all of the values server-side to make them safe and help curb any attempts at SQL Injection

https://stackoverflow.com/questions/3825760/is-this-linq-statment-vulnerable-to-sql-injection

https://stackoverflow.com/questions/8738953/is-injection-possible-through-dynamic-linq

If you want some thing about dynamical linq query, you could check the following links:

https://weblogs.asp.net/scottgu/dynamic-linq-part-1-using-the-linq-dynamic-query-library

http://www.albahari.com/nutshell/predicatebuilder.aspx

Best regards

Cathy