Linq - does SQL Injection attacks occurs in LINQ ??

Posted by Akiii under Others on 4/17/2011 | Points: 10 | Views : 5154 | Status : [Member] | Replies : 7
Hi,
can anyone please explain by giving example, why there will be no sql injection attacks while using LINQ ??

string str = "select * from emp_table"
(Here sql injection occurs)

Vs

var my_value = from c in emp_table select c;

How can sql injection is prevented here ??

Any help is appreciated....

Thanks and Regards
Akiii




Responses

Posted by: Umeshdwivedi on: 4/17/2011 [Member] Starter | Points: 25

Up
0
Down
Hello
As developers assume more of the security burden, the first web application vulnerability that many developers learn about is a particularly dangerous form of command injection known as SQL injection. Command injection in its archetypal form is any vulnerability that allows an attacker to run an unintended command on your server by providing unanticipated input that alters the way you intended the web application to run. Because it's so well-known, SQL injection attacks are common, dangerous, and pervasive. Fortunately, you can prevent SQL injection easily once you understand the problem. Even better, a new Microsoft data access technology offers .NET developers the opportunity to eliminate SQL injection vulnerabilities altogether-when used properly. That technology is called Language Integrated Query (LINQ), and it will ship in the upcoming release of Visual Studio "Orcas" and .NET Framework 3.5. This article explores LINQ's potential for hardening your web application's data access code so that it's impossible to attack through SQL Injection
Reference by http://www.devx.com/dotnet/Article/34653

Latest Technology Trainer
And Part time software consultant

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: SheoNarayan on: 4/17/2011 [Administrator] HonoraryPlatinum | Points: 25

Up
0
Down
Hi Akii,

This is for simple reason that whatever query you write into LINQ is converted into corresponding SQL query by the .NET engine and that engine takes care of the Injections (In general if you use parameterized statements in SQL, you avoid the SQL Injection and LINQ query is converted something similar by the .NET engine.).

By the way, even your first SQL Statement will also not have SQL Injection, remember that unless you are going to pass some user input to the SQL statements there is hardly any chance of SQL Injection.

string str = "select * from emp_table where  FirstName = '"+ firstName + "'" 


Above code is prone to SQL Injection as we are passing firstName variable to the SQL statements.

Hope this will help.

Regards,
Sheo Narayan
http://www.dotnetfunda.com

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Akiii on: 4/17/2011 [Member] Bronze | Points: 25

Up
0
Down
@Umeshdwivedi......

thanks.....very informative article........

Akiii

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Akiii on: 4/17/2011 [Member] Bronze | Points: 25

Up
0
Down
@Sheo Narayan.......

Sir can we pass user input in linq query ??
If yes, then how to prevent sql injection....?
can we use stored procedure in linq too ??

Thanks
Akiii

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: SheoNarayan on: 4/17/2011 [Administrator] HonoraryPlatinum | Points: 25

Up
0
Down
Akiii,

Yes, you can pass parameter to the LINQ, you do not need to worry about SQL Injection it is managed internally.
Yes, you can use Stored Procedure in LINQ.

Read following article, that should give you enough knowledge to start with LINQ
http://www.dotnetfunda.com/articles/article754-how-to-use-linq-.aspx
http://www.dotnetfunda.com/articles/article993-frequently-used-linq-extension-methods-.aspx

Thanks

Regards,
Sheo Narayan
http://www.dotnetfunda.com

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Akiii on: 4/17/2011 [Member] Bronze | Points: 25

Up
0
Down
@Sheo Narayan.....

Thanks Sir for the links.....

Akiii

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Abhisekjani on: 4/17/2011 [Member] Starter | Points: 25

Up
0
Down
...

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Login to post response