From: Erland Sommarskog on
Dan Guzman (guzmanda(a) writes:
> Just to be clear, I did not mean to insinuate that LINQ had SQL
> injection vulnerabilities. Rather, the practice of using stored
> procedures mitigates the risk of SQL injection regardless of the method
> used to access the database.

Hmmm. Yes, if people understand to use CommandType.StoredProcedures, yes.
If the do

sql = "EXEC some_sp '" & param_1 & "'"

Nothing has changed.

And don't laugh. The system I work with, have plentiful of that.

Erland Sommarskog, SQL Server MVP, esquel(a)

Books Online for SQL Server 2005 at
Books Online for SQL Server 2000 at
First  |  Prev  | 
Pages: 1 2 3
Prev: Decode XML Data Type
Next: Need to recover my database