I have code like this:
var newMsg = new Msg
{
Var1 = var1,
Var2 = var2
};
using (AppDataContext appDataContext = new AppDataContext(ConnectionString))
{
appDataContext.CClass.InsertOnSubmit(newMsg);
appDataContext.SubmitChanges();
}
After reading this post I believe that the same logic applies.
Does anyone think that this is subject to SQL Injection Attack?
The second answer in the post you're referencing says it:
LINQ to SQL uses execute_sql with parameters.
It does not concatenate property values into a one big INSERT ... VALUES('...', '...')
The underlying operation of the DataContext is via the SqlCommand which uses paramatised SQL.
So your insert statement will look like this:
INSERT INTO [MSG] [Var1] = @p1, [Var2] = @p2
否,但是无论如何您应该验证用户数据。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.