From: Erland Sommarskog on 6 Aug 2010 03:24
Dan Guzman (guzmanda(a)nospam-online.sbcglobal.net) writes:
> Just to be clear, I did not mean to insinuate that LINQ had SQL
> injection vulnerabilities. Rather, the practice of using stored
> procedures mitigates the risk of SQL injection regardless of the method
> used to access the database.
Hmmm. Yes, if people understand to use CommandType.StoredProcedures, yes.
If the do
sql = "EXEC some_sp '" & param_1 & "'"
Nothing has changed.
And don't laugh. The system I work with, have plentiful of that.
Erland Sommarskog, SQL Server MVP, esquel(a)sommarskog.se
Books Online for SQL Server 2005 at
Books Online for SQL Server 2000 at