Prev: Decode XML Data Type
Next: Need to recover my database
From: Erland Sommarskog on 6 Aug 2010 03:24
Dan Guzman (guzmanda(a)nospam-online.sbcglobal.net) writes:
> Just to be clear, I did not mean to insinuate that LINQ had SQL
> injection vulnerabilities. Rather, the practice of using stored
> procedures mitigates the risk of SQL injection regardless of the method
> used to access the database.

Hmmm. Yes, if people understand to use CommandType.StoredProcedures, yes.
If the do

sql = "EXEC some_sp '" & param_1 & "'"

Nothing has changed.

And don't laugh. The system I work with, have plentiful of that.


--
Erland Sommarskog, SQL Server MVP, esquel(a)sommarskog.se

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx
First  |  Prev  | 
Pages: 1 2 3
Prev: Decode XML Data Type
Next: Need to recover my database