LINQ的ExecuteCommand是否提供针对SQL注入攻击的保护? [英] Does LINQ's ExecuteCommand provide protection from SQL injection attacks?

问题描述

我遇到了需要使用LINQ的ExecuteCommand方法来运行插入的情况.

I've got a situation where I need to use LINQ's ExecuteCommand method to run an insert.

类似的东西(出于这个问题的目的而简化):

Something like (simplified for purposes of this question):

object[] oParams = { Guid.NewGuid(), rec.WebMethodID };

TransLogDataContext.ExecuteCommand (
"INSERT INTO dbo.Transaction_Log (ID, WebMethodID) VALUES ({0}, {1})",
oParams);

问题是，这是否像参数化查询一样是SQL注入证明?

The question is if this is SQL injection proof in the same way parameterized queries are?

推荐答案

进行了一些研究，结果发现:

Did some research, and I found this:

在我的简单测试中，它看起来像 传入的参数 ExecuteQuery和ExecuteCommand 方法是自动SQL编码的 根据提供的值.所以 如果您输入的字符串中带有' 字符，它将自动执行SQL 将其转义为".我相信类似 策略用于其他数据类型 例如DateTimes，Decimals等.

In my simple testing, it looks like the parameters passed in the ExecuteQuery and ExecuteCommand methods are automatically SQL encoded based on the value being supplied. So if you pass in a string with a ' character, it will automatically SQL escape it to ''. I believe a similar policy is used for other data types like DateTimes, Decimals, etc.

http://weblogs.asp.net/scottgu/archive/2007/08/27/linq-to-sql-part-8-executing-custom-sql-expressions.aspx
(您可以向下滚动找到它)

http://weblogs.asp.net/scottgu/archive/2007/08/27/linq-to-sql-part-8-executing-custom-sql-expressions.aspx
(You have scroll way down to find it)

对我来说，这似乎有些奇怪-大多数其他.Net工具都比"SQL转义"任何东西都了解得多.他们使用真实的查询参数来代替.

This seems a little odd to me - most other .Net tools know better than to "SQL escape" anything; they use real query parameters instead.

这篇关于LINQ的ExecuteCommand是否提供针对SQL注入攻击的保护?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！