Is it possible for a project using entirely LinqToSQL or Entity Framewok to suffer from SQL Injection.
I think that probably not because the SQL that the ORM generates should be sql-injection free. But I'm not sure.
When you use those frameworks as intended, i.e. the entities/tables directly, then no. All string comparisons (i.e. where name = 'smith' ) are parameterized.
The only vulnerable spots are:
any string can be executed directly against the context.
dbContext.ExecuteQuery();with any kind of destructive string.a stored procedure executing dynamic SQL using any parameters given
"It depends".
Plain LINQ queries against L2S or EF entities are injection safe, but you could always call a stored procedure or function that is not injection safe.
That would clearly be an edge case, but yes it happens that people write SPs/functions that are open to injection (composing SQL-in-strings with parameter values inside the proc).
来源:https://stackoverflow.com/questions/3473841/entity-framework-linqtosql-and-sql-injection