问题
Is it possible for a project using entirely LinqToSQL or Entity Framewok to suffer from SQL Injection.
I think that probably not because the SQL that the ORM generates should be sql-injection free. But I'm not sure.
回答1:
When you use those frameworks as intended, i.e. the entities/tables directly, then no. All string comparisons (i.e. where name = 'smith' ) are parameterized.
The only vulnerable spots are:
any string can be executed directly against the context.
dbContext.ExecuteQuery();with any kind of destructive string.a stored procedure executing dynamic SQL using any parameters given
回答2:
"It depends".
Plain LINQ queries against L2S or EF entities are injection safe, but you could always call a stored procedure or function that is not injection safe.
That would clearly be an edge case, but yes it happens that people write SPs/functions that are open to injection (composing SQL-in-strings with parameter values inside the proc).
来源:https://stackoverflow.com/questions/3473841/entity-framework-linqtosql-and-sql-injection