Yin

Yin

  • NA
  • 127
  • 22.3k

SQL Command Injection

Nov 14 2012 1:09 AM
Is there a way to Inject SQL command in LINQ Connection? When he's not using the typical

string sqlstr="SELECT * FROM TABLE WHERE COLUMN = '" + PARAMETER + "' ";
List<Table> tbl = context.ExecuteQuery<Table>(sqlstr).ToList();

-we all know that by using this way, you can easily inject a sql command. But how about in this:

var sqlstr = (from tbl in context.Table
                where column == parameter
                select new{tbl.column}).ToList();

QUESTION: What would be the input in parameter in order for you to inject a sql command?

Answers (2)