问题描述

关于L2E是否易受SQL注入影响，我已经看到了几篇相互矛盾的文章.

I've seen a couple of conflicting articles about whether or not L2E is susceptible to SQL injection.

来自 MSDN :

这是否意味着可能存在非传统"攻击? 本文有一个非参数化查询的示例-是否可以安全地假设，如果您通过变量传递用户提供的数据，则该参数将被参数化?

Does that imply that there are "non-traditional" attacks that may work? This article has one example of a non-parameterized query - is it safe to assume that if you pass in user-supplied data via a variable it will be parameterized?

如果我这样做:

from foo in ctx.Bar where foo.Field = userSuppliedString select foo;

我安全吗?

推荐答案

在您的示例中，您使用的是变量(userSuppliedString)，因此将对其进行参数化.

In your example you're using a variable (userSuppliedString), so it will be parameterized.

如果您的代码中有文字值:

If you had a literal value in your code:

from foo in ctx.Bar where foo.Field == "Hi" select foo;

...然后EF 1不会对其进行参数化，但是由于SQL注入是文字，因此SQL注入的危险也为零.

...then EF 1 won't parameterize it, but there's also zero danger of SQL injection since it's a literal.

这篇关于LINQ to实体和SQL注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！