Is LINQ to SQL InsertOnSubmit() subject to SQL Injection Attack?

Question

I have code like this:

var newMsg = new Msg
{
    Var1 = var1,
    Var2 = var2
};

using (AppDataContext appDataContext = new AppDataContext(ConnectionString))
{
    appDataContext.CClass.InsertOnSubmit(newMsg);
    appDataContext.SubmitChanges();
}

After reading this post I believe that the same logic applies.

Does anyone think that this is subject to SQL Injection Attack?

score 5 · Accepted Answer · answered Oct 12 '08 at 22:04

5

The second answer in the post you're referencing says it:

LINQ to SQL uses execute_sql with parameters.

It does not concatenate property values into a one big INSERT ... VALUES('...', '...')

answered Oct 12 '08 at 22:04

liggett78

11,260
2
29
29

I'm not sure that it does... it is just a command that is parameterised. execute_sql is used to do the same from *within* TSQL. – Marc Gravell Oct 13 '08 at 04:12
User input that is parameterised is safe from injection. Injection attacks only apply when user input is concatenated. – David Nelson May 21 '09 at 18:03

score 3 · Answer 2 · answered Oct 12 '08 at 23:39

3

The underlying operation of the DataContext is via the SqlCommand which uses paramatised SQL.

So your insert statement will look like this:

INSERT INTO [MSG] [Var1] = @p1, [Var2] = @p2

answered Oct 12 '08 at 23:39

Aaron Powell

24,927
18
98
150

score 1 · Answer 3 · answered Oct 12 '08 at 22:53

1

No, but you should be validating user data anyhow.

answered Oct 12 '08 at 22:53

Is LINQ to SQL InsertOnSubmit() subject to SQL Injection Attack?

3 Answers3