开发者

Is this LINQ based search safe against SQL injection / XSS attack?

开发者 https://www.devze.com 2023-04-10 05:46 出处：网络

P开发者_开发技巧lease refer following database search tutorial and advise if search methodology is safe, especially since it is taking input from a textbox.

相关专题：asp.net code-injection linq security sql

P开发者_开发技巧lease refer following database search tutorial and advise if search methodology is safe, especially since it is taking input from a textbox.

http://net.tutsplus.com/tutorials/asp-net/enabling-search-functionality-in-your-site-using-the-new-features-in-aspnet-35/

Protected Sub btnSubmit_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnSubmit.Click  

    Dim db As New BlogDBDataContext()  

    Dim q = From b In db.Blogs _  
            Where b.BlogContents.Contains(txtSearch.Text.Trim()) Or _  
                  b.BlogTitle.Contains(txtSearch.Text.Trim()) _  
            Select b  

    lv.DataSource = q  
    lv.DataBind()
End Sub

Yes, that's safe. You aren't at risk from SQL injection attacks using LINQ unless you create the SQL yourself, for example if you use ExecuteQuery.

You are safe in this case. You have to go out of your way to enable SQL injection using LINQ to SQL. See http://www.thinqlinq.com/Post.aspx/Title/Does-LINQ-to-SQL-eliminate-the-possibility-of-SQL-Injection