问题
I am using asp.net mvc 3 with WCF with EF 4.1 With Sql Azure. I am building the search engine for my application. and using the dynamic Linq to build queries. I want to avoid the sql injetion in this scenario. what is the best practice for the same ? what are the precaoution i should take in this scenario ?
回答1:
As long as your are building your queries through LINQ, then you are not vulnerable to SQL injection. While this doesn't mean that your code is invulnerable to ALL sorts of attacks (brute forcing passwords, etc.), you won't be vulnerable to SQL injection.
回答2:
Dynamic LINQ automatically protects against a SQL injection attack, even if you build up your arguments using Request.QueryString etc.
You can add your own layer of very basic checking by making sure that no input strings contain the ";" character, which is typically used in SQL injection to allow entering custom SQL queries.
See also http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx.
来源:https://stackoverflow.com/questions/8357062/how-to-avoid-sql-injection-with-linq-with-ef-in-codefirst-technique-in-c-sharp