Do I need to use parametrized queries when calling ExectureStoreQuery to avoid SQL Injections?

Question

I'm wondering if I need to use parameterized queries when executing sql from ExecuteStoredProcedure in order to prevent SQL Injection attacks?

According to this MSDN link, I should be using parameters.

According to this other MSDN link, a sql string using {0} is the equivalent of using parameters.

So is it really OK to just have a {0}, {1} etc in my SQL statement:

var rv = _context.ExecuteStoreQuery<int>("select ID from table where typeID = {0}", typeID);

or do I need:

     var param = new SqlParameter("@typeID", SqlDbType.Int);
     param.Value = typeID;
     var rv = _context.ExecuteStoreQuery<int>("select ID from table where typeID = @typeID", param);

Is there a reason you are not using stored procedures? – Emmie Lewis-Briggman May 28 '12 at 12:14 — Emmie Lewis-Briggman, May 28 '12 at 12:14

score 0 · Answer 1 · answered May 25 '12 at 14:24

0

Basically it boils down to this. Are you reusing the query, with many many calls but with different values for typeID? Then yes it might make a miniscule difference in performance.

On the other hand if you're only making this one call, then majority of the performance hit will be your DB call.

Personally I've yet to see this ever make a tangible difference in any code I've written in the past 8-10 years.

So I vote - don't bother.

answered May 25 '12 at 14:24

Preet Sangha

64,563
18
145
216

I'm not asking about performance, but whether or not the first type of statement is vulnerable to a sql injection attack. I've updated the question to reflect this. – chris May 25 '12 at 14:30
so why not put that in your question? – Preet Sangha May 25 '12 at 14:31

Do I need to use parametrized queries when calling ExectureStoreQuery to avoid SQL Injections?

1 Answers1