![[ERR!]](https://www.gravatar.com/avatar/e1815632acf04a5921fbe0881083569c?d=identicon&s=40)
189 Views
By default, LINQ to SQL uses parameterized queries rather than concatenated strings when executing your LINQ queries. As a result, if a user tries to perform SQL Injection by improperly escaping parts of the SQL, the escape is considered part of the parameter rather than part of the query and thus avoids the injection. However, as we discussed in chapter 8 of LINQ in Action, LINQ to SQL greatly reduces the possibility of SQL Injection, but doesn't completely eliminate it. For example, if you are using ...
1 comments
dpeterson
7/28/2011 10:54:40 PM
Moral of the story, use parameterized queries no matter what tool you use to access the database. You should never, ever, ever trust user input, and you should definitely not concatenate it with your query strings.