LINQ and SQL Injection

In my WebDD09 talk on Saturday I mentioned SQL injection and LINQ. I’ve had a query about what exactly is the problem with LINQ as I was constrained by time and only mentioned it in passing.

Microsoft asserts that LINQ stops SQL injection attacks:

LINQ to SQL avoids such injection by using SqlParameter in queries. User input is turned into parameter values. This approach prevents malicious commands from being used from customer input.

This is generally true, however LINQ has a problem method – ExecuteQuery. This methodexecutes queries directly on the server which can lead to injection. Now ExecuteQuery does support parameters:

IEnumerable<Customer> results = db.ExecuteQuery<Customer>(
    "SELECT contactname FROM customers WHERE city = {0}",
    "London");

However if you don't know about SQL parameters already it's going to be all to tempting to build a command string up with concatenation and then bang, there’s SQL Injection. I’ve seen ExecuteQuery recommended for optimisation and performance with scant or no warnings given about parameterisation.

In summary LINQ avoids SQL Injection - if you use it properly – but the same thing can be said about the ADO.NET classes… and we know people still slip up using those.

Technorati Tags: LINQ,SQL Injection

Monday, April 20, 2009 9:58 AM

Your Comments.

# re: LINQ and SQL Injection

Hi,
I've been messing around with L2S but am new to SQL in general, and just came across this post. Am I right in thinking that the example you've given is open to an injection attack as "London" could have been an SQL injection string? If so, how do I avoid any injection attacks when using ExecuteQuery?
Or have I got the wrong end of the stick and your code is actually the safe version of doing things?
Thanks

Left by S. J. at 9/12/2009 2:11 AM

# re: LINQ and SQL Injection

The example with London uses a parameterised query - that's what the {0} is. So if you stick to that then you're ok. It's when you start building SQL strings in the old way that you're going to become vulnerable.

Left by barryd at 9/12/2009 9:02 PM

# re: LINQ and SQL Injection

Ah, that makes sense :)
Thanks for the post!

Left by S. J. at 9/13/2009 12:03 AM

Your Reply.

Comment Form.

Fields denoted with a "*" are required.

*Your name:

*Subject:

You may also like to leave your email or website.

*Your message:

Please add 7 and 3 and type the answer here:

Enter the code shown above:

Preview Your Comment.

# re: LINQ and SQL Injection
Hi,
I've been messing around with L2S but am new to SQL in general, and just came across this post. Am I right in thinking that the example you've given is open to an injection attack as "London" could have been an SQL injection string? If so, how do I avoid any injection attacks when using ExecuteQuery?
Or have I got the wrong end of the stick and your code is actually the safe version of doing things?
Thanks

Left by S. J. at 9/12/2009 2:11 AM
# re: LINQ and SQL Injection
The example with London uses a parameterised query - that's what the {0} is. So if you stick to that then you're ok. It's when you start building SQL strings in the old way that you're going to become vulnerable.

Left by barryd at 9/12/2009 9:02 PM
# re: LINQ and SQL Injection
Ah, that makes sense :)
Thanks for the post!

Left by S. J. at 9/13/2009 12:03 AM

Jump Menu

So what are all these buttons for?

Personalize

Text Size

Layout

Navigation Position

idunno.org

now with extra subtext goodness

LINQ and SQL Injection

Your Comments.

Your Reply.

Preview Your Comment.

Tag Cloud

Article Categories

Archives

Post Categories

Syndicate

Shiny Badge Things