LINQ 的 ExecuteCommand 是否提供对 SQL 注入攻击的保护? [英] Does LINQ's ExecuteCommand provide protection from SQL injection attacks?

问题描述

我遇到了需要使用 LINQ 的 ExecuteCommand 方法来运行插入的情况.

I've got a situation where I need to use LINQ's ExecuteCommand method to run an insert.

类似的东西(为了这个问题而简化):

Something like (simplified for purposes of this question):

object[] oParams = { Guid.NewGuid(), rec.WebMethodID };

TransLogDataContext.ExecuteCommand (
"INSERT INTO dbo.Transaction_Log (ID, WebMethodID) VALUES ({0}, {1})",
oParams);

问题是这是否和参数化查询一样是 SQL 注入证明?

The question is if this is SQL injection proof in the same way parameterized queries are?

推荐答案

做了一些研究，我发现了这个:

Did some research, and I found this:

在我的简单测试中，它看起来像传入的参数执行查询和执行命令方法是自动 SQL 编码的基于提供的值.所以如果你传入一个带有 ' 的字符串字符，它会自动 SQL将其转义为 ''.我相信类似的策略用于其他数据类型如日期时间、小数等.

In my simple testing, it looks like the parameters passed in the ExecuteQuery and ExecuteCommand methods are automatically SQL encoded based on the value being supplied. So if you pass in a string with a ' character, it will automatically SQL escape it to ''. I believe a similar policy is used for other data types like DateTimes, Decimals, etc.

http://weblogs.asp.net/scottgu/archive/2007/08/27/linq-to-sql-part-8-executing-custom-sql-expressions.aspx
(您可以向下滚动以找到它)

http://weblogs.asp.net/scottgu/archive/2007/08/27/linq-to-sql-part-8-executing-custom-sql-expressions.aspx
(You have scroll way down to find it)

这对我来说似乎有点奇怪 - 大多数其他 .Net 工具都比SQL 转义"更清楚；他们使用真实的查询参数代替.

This seems a little odd to me - most other .Net tools know better than to "SQL escape" anything; they use real query parameters instead.

这篇关于LINQ 的 ExecuteCommand 是否提供对 SQL 注入攻击的保护?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！