Linq - does SQL Injection attacks occurs in LINQ ??

Posted by Akiii under Others on 4/17/2011 | Points: 10 | Views : 7050 | Status : [Member] | Replies : 7

Write New Post |

Search Forums | Answered

Resolved Posts |

Un Answered Posts |

Forums Home

Hi,
can anyone please explain by giving example, why there will be no sql injection attacks while using LINQ ??

string str = "select * from emp_table"
(Here sql injection occurs)

Vs

var my_value = from c in emp_table select c;

How can sql injection is prevented here ??

Any help is appreciated....

Thanks and Regards
Akiii

Reply | Reply with Attachment

Alert Moderator

Responses

Posted by: Umeshdwivedi on: 4/17/2011 [Member] Starter | Points: 25

0	Hello As developers assume more of the security burden, the first web application vulnerability that many developers learn about is a particularly dangerous form of command injection known as SQL injection. Command injection in its archetypal form is any vulnerability that allows an attacker to run an unintended command on your server by providing unanticipated input that alters the way you intended the web application to run. Because it's so well-known, SQL injection attacks are common, dangerous, and pervasive. Fortunately, you can prevent SQL injection easily once you understand the problem. Even better, a new Microsoft data access technology offers .NET developers the opportunity to eliminate SQL injection vulnerabilities altogether-when used properly. That technology is called Language Integrated Query (LINQ), and it will ship in the upcoming release of Visual Studio "Orcas" and .NET Framework 3.5. This article explores LINQ's potential for hardening your web application's data access code so that it's impossible to attack through SQL Injection Reference by http://www.devx.com/dotnet/Article/34653 Latest Technology Trainer And Part time software consultant Akiii, if this helps please login to Mark As Answer. \| Alert Moderator

Hello
As developers assume more of the security burden, the first web application vulnerability that many developers learn about is a particularly dangerous form of command injection known as SQL injection. Command injection in its archetypal form is any vulnerability that allows an attacker to run an unintended command on your server by providing unanticipated input that alters the way you intended the web application to run. Because it's so well-known, SQL injection attacks are common, dangerous, and pervasive. Fortunately, you can prevent SQL injection easily once you understand the problem. Even better, a new Microsoft data access technology offers .NET developers the opportunity to eliminate SQL injection vulnerabilities altogether-when used properly. That technology is called Language Integrated Query (LINQ), and it will ship in the upcoming release of Visual Studio "Orcas" and .NET Framework 3.5. This article explores LINQ's potential for hardening your web application's data access code so that it's impossible to attack through SQL Injection
Reference by http://www.devx.com/dotnet/Article/34653

Latest Technology Trainer
And Part time software consultant

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: SheoNarayan on: 4/17/2011 [Administrator] HonoraryPlatinum | Points: 25

0	Hi Akii, This is for simple reason that whatever query you write into LINQ is converted into corresponding SQL query by the .NET engine and that engine takes care of the Injections (In general if you use parameterized statements in SQL, you avoid the SQL Injection and LINQ query is converted something similar by the .NET engine.). By the way, even your first SQL Statement will also not have SQL Injection, remember that unless you are going to pass some user input to the SQL statements there is hardly any chance of SQL Injection. string str = "select * from emp_table where FirstName = '"+ firstName + "'" Above code is prone to SQL Injection as we are passing firstName variable to the SQL statements. Hope this will help. Regards, Sheo Narayan http://www.dotnetfunda.com Akiii, if this helps please login to Mark As Answer. \| Alert Moderator

Hi Akii,

This is for simple reason that whatever query you write into LINQ is converted into corresponding SQL query by the .NET engine and that engine takes care of the Injections (In general if you use parameterized statements in SQL, you avoid the SQL Injection and LINQ query is converted something similar by the .NET engine.).

By the way, even your first SQL Statement will also not have SQL Injection, remember that unless you are going to pass some user input to the SQL statements there is hardly any chance of SQL Injection.

string str = "select * from emp_table where  FirstName = '"+ firstName + "'"

Above code is prone to SQL Injection as we are passing firstName variable to the SQL statements.

Hope this will help.

Regards,
Sheo Narayan
http://www.dotnetfunda.com

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Akiii on: 4/17/2011 [Member] Bronze | Points: 25

0	@Umeshdwivedi...... thanks.....very informative article........ Akiii Akiii, if this helps please login to Mark As Answer. \| Alert Moderator

Posted by: Akiii on: 4/17/2011 [Member] Bronze | Points: 25

0	@Sheo Narayan....... Sir can we pass user input in linq query ?? If yes, then how to prevent sql injection....? can we use stored procedure in linq too ?? Thanks Akiii Akiii, if this helps please login to Mark As Answer. \| Alert Moderator

Posted by: SheoNarayan on: 4/17/2011 [Administrator] HonoraryPlatinum | Points: 25

0	Akiii, Yes, you can pass parameter to the LINQ, you do not need to worry about SQL Injection it is managed internally. Yes, you can use Stored Procedure in LINQ. Read following article, that should give you enough knowledge to start with LINQ http://www.dotnetfunda.com/articles/article754-how-to-use-linq-.aspx http://www.dotnetfunda.com/articles/article993-frequently-used-linq-extension-methods-.aspx Thanks Regards, Sheo Narayan http://www.dotnetfunda.com Akiii, if this helps please login to Mark As Answer. \| Alert Moderator

Akiii,

Yes, you can pass parameter to the LINQ, you do not need to worry about SQL Injection it is managed internally.
Yes, you can use Stored Procedure in LINQ.

Read following article, that should give you enough knowledge to start with LINQ
http://www.dotnetfunda.com/articles/article754-how-to-use-linq-.aspx
http://www.dotnetfunda.com/articles/article993-frequently-used-linq-extension-methods-.aspx

Thanks

Regards,
Sheo Narayan
http://www.dotnetfunda.com

Akiii, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Akiii on: 4/17/2011 [Member] Bronze | Points: 25

0	@Sheo Narayan..... Thanks Sir for the links..... Akiii Akiii, if this helps please login to Mark As Answer. \| Alert Moderator

Posted by: Abhisekjani on: 4/17/2011 [Member] Starter | Points: 25

0	... Akiii, if this helps please login to Mark As Answer. \| Alert Moderator

Latest Posts