将使用LINQ to SQL帮助prevent SQL注入 [英] Will using LINQ to SQL help prevent SQL injection

问题描述

我设立一个公共网站，在我脑海的第一件事就是SQL注入。我有一些文本字段我节省和我使用LINQ更新/写入数据库。我是不是安全使用LINQ？

I'm setting up a public site and the first thing on my mind is SQL injection. I have some text fields I'm saving and am using linq to update/write to the database. Am I safe using linq?

这个例子是创建用户帐户。

This example is creating the user account.

Data.MemberRegistrationDataContext context = new MemberRegistrationDataContext();
Data.tbl_Member_UserProfile profile = new tbl_Member_UserProfile();
profile.SSN = Convert.ToDecimal(Session["tempMemberSSN_Registration"]);
profile.UserName = userName;
profile.Password = password;
profile.EmailAddress = email;
profile.QuestionID = qID;
profile.QuestionResponse = securityAnswer;
profile.LastModDt = DateTime.Now;
profile.LastModBy = "web";
context.tbl_Member_UserProfiles.InsertOnSubmit(profile);
context.SubmitChanges();

密码

这例子是改变

This example is changing the password

   MemberRegistrationDataContext dc = new MemberRegistrationDataContext();
   var mProfileRecord = dc.tbl_Member_UserProfiles.Single(c => c.SSN == sSSN);
   mProfileRecord.Password = sNewPassword;
   dc.SubmitChanges();

这些是安全的？是否LINQ参数，它会自动生成SQL？

Are these safe? Does LINQ parameterize the SQL it generates automatically?

推荐答案

是，LINQ将有助于阻止SQL注入。

Yes, LINQ will help stop SQL injection.

LINQ到SQL传递所有数据到
  通过SQL参数数据库。所以，
  虽然SQL查询组成
  动态，值被取代的
  通过参数服务器端
  维护对最常见的
  事业的SQL注入攻击。

LINQ to SQL passes all data to the database via SQL parameters. So, although the SQL query is composed dynamically, the values are substitued server side through parameters safeguarding against the most common cause of SQL injection attacks.

此外，请参阅消除SQL注入攻击无痛使用LINQ 获得一些信息。

Also, see Eliminate SQL Injection Attacks Painlessly with LINQ for some info.

这篇关于将使用LINQ to SQL帮助prevent SQL注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！