FREE BOOK

Chapter 8 : Reading Objects with LINQ to SQL

Posted by Addison Wesley Free Book | LINQ July 28, 2009
It uses the mapping of classes to tables to translate LINQ queries to SQL commands and then materializes objects from the rows returned. The objects can be related to each other in a graph of objects that is managed by LINQ to SQL on your behalf.

Security
 
SQL users do have a certain degree of composability available to them. In principle, you can concatenate appropriate strings to programmatically  build a SQL query based on various inputs. However, in practice, this is almost always very problematic because of the threat of SQL injection.  Malicious user input can turn a benign-looking parameter into dangerous commands for doing something nefarious on the server.
 
LINQ to SQL addresses this issue in the generated SQL very effectively by always parameterizing inputs. Amalicious user can try to provide input  laced with commands, but the input will not get blindly concatenated into the SQL string. It will be left as a parameter, and the database will only treat it as a nonexecutable parameter.
 
Although most SQL users know about the threat of SQL injection and take steps to avoid string concatenation to build a command, LINQ to SQL does a more effective job of avoiding such concatenation. It provides a degree of additional security by ensuring that this basic principle is followed consistently.
 
Beyond thwarting SQL injection, restricting access to sensitive data or operations is another key security objective. If you use stored procedures or functions in your database, LINQ to SQL can use them to retrieve and save objects. We will discuss stored procedure support in depth in Chapter 10, "Using Stored Procedures and Database Functions with LINQ to SQL." For this discussion, remember that you can use fine-grained access control in the database with views, stored procedures, and functions just as effectively with LINQ to SQL as you do with plain SQL.
 
Finally, LINQ to SQL relies on the connection string for access to databases, just like the underlying ADO.NET relational APIs. If you use integrated  security, the amount of sensitive data should be minimal. But if you do not use integrated security, it is important to protect the user ID and password used in the connection string. Typically such information is stored in a configuration file that is carefully secured. All precautions used for connection string information with ? or ? also apply to LINQ to SQL.
 
Get the Most from LINQ to SQL
 
Put the query results in a collection if you plan to enumerate them multiple times. Use compiled queries wherever possible for queries that are executed often. Although LINQ to SQL addresses SQL injection, you need to secure a connection string to protect any secrets, such as userid and password.
 

Total Pages : 9 56789

comments