stackoom
  简体   繁体   中英

Is LINQ to SQL InsertOnSubmit() subject to SQL Injection Attack?

 原文  2008-10-12 21:56:05       c#/ .net/ linq-to-sql/ sql-injection

Question

I have code like this: 

var newMsg = new Msg
{
    Var1 = var1,
    Var2 = var2
};

using (AppDataContext appDataContext = new AppDataContext(ConnectionString))
{
    appDataContext.CClass.InsertOnSubmit(newMsg);
    appDataContext.SubmitChanges();
}

After reading this post I believe that the same logic applies.

Does anyone think that this is subject to SQL Injection Attack?

3 answers

solution1
 5 ACCPTED  2008-10-12 22:04:12

The second answer in the post you're referencing says it:

LINQ to SQL uses execute_sql with parameters.

It does not concatenate property values into a one big INSERT ... VALUES('...', '...')

solution2
 3  2008-10-12 23:39:55

The underlying operation of the DataContext is via the SqlCommand which uses paramatised SQL.

So your insert statement will look like this: 

INSERT INTO [MSG] [Var1] = @p1, [Var2] = @p2

solution3
 1  2008-10-12 22:53:40

否,但是无论如何您应该验证用户数据。

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question LINQ 2 SQL: AddObject and InsertOnSubmit linq-to-sql InsertOnSubmit LINQ to SQL: InsertOnSubmit() vs Add() LINQ to SQL in C# issue with InsertOnSubmit LINQ to SQL insertonsubmit() does not work (Windows Forms) Linq to SQL, InsertOnSubmit vs. InsertAllOnSubmit performance? NullReferenceException when doing InsertOnSubmit in LINQ to SQL how to prevent an SQL Injection Attack? Sql Injection - Is the following open to attack? Does LINQ To SQL C# eliminate any possibility of a SQL injection attack?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM