Does LINQ's ExecuteCommand provide protection from SQL injection attacks?

Question

I\'ve got a situation where I need to use LINQ\'s ExecuteCommand method to run an insert.

Something like (simplified for purposes of this question):

Answer 1

LINQ to SQL uses exec_sql with parameters, which is much safer than concatenating into the ad-hoc query string. It should be as safe againt SQL injection as using SqlCommand and its Paramaters collection (in fact, it's probably what LINQ to SQL uses internally). Then again, how safe is that?

Answer 2

Did some research, and I found this:

In my simple testing, it looks like the parameters passed in the ExecuteQuery and ExecuteCommand methods are automatically SQL encoded based on the value being supplied. So if you pass in a string with a ' character, it will automatically SQL escape it to ''. I believe a similar policy is used for other data types like DateTimes, Decimals, etc.

http://weblogs.asp.net/scottgu/archive/2007/08/27/linq-to-sql-part-8-executing-custom-sql-expressions.aspx
(You have scroll way down to find it)

This seems a little odd to me - most other .Net tools know better than to "SQL escape" anything; they use real query parameters instead.