问题
I've got a situation where I need to use LINQ's ExecuteCommand method to run an insert.
Something like (simplified for purposes of this question):
object[] oParams = { Guid.NewGuid(), rec.WebMethodID };
TransLogDataContext.ExecuteCommand (
"INSERT INTO dbo.Transaction_Log (ID, WebMethodID) VALUES ({0}, {1})",
oParams);
The question is if this is SQL injection proof in the same way parameterized queries are?
回答1:
Did some research, and I found this:
In my simple testing, it looks like the parameters passed in the ExecuteQuery and ExecuteCommand methods are automatically SQL encoded based on the value being supplied. So if you pass in a string with a ' character, it will automatically SQL escape it to ''. I believe a similar policy is used for other data types like DateTimes, Decimals, etc.
http://weblogs.asp.net/scottgu/archive/2007/08/27/linq-to-sql-part-8-executing-custom-sql-expressions.aspx
(You have scroll way down to find it)
This seems a little odd to me - most other .Net tools know better than to "SQL escape" anything; they use real query parameters instead.
回答2:
LINQ to SQL uses exec_sql with parameters, which is much safer than concatenating into the ad-hoc query string. It should be as safe againt SQL injection as using SqlCommand and its Paramaters collection (in fact, it's probably what LINQ to SQL uses internally). Then again, how safe is that?
来源:https://stackoverflow.com/questions/157924/does-linqs-executecommand-provide-protection-from-sql-injection-attacks