Concatenated Queries at the Root of SQL Injection attacks
ORM is supposed to protect against SQL Injection attacks. As are Stored Procedures (due to parametrization of the data in the query). However, both ORMs and Stored Procs will not protect you against SQL Injection – if you are constructing your query (LINQ or SQL) using concatenation. Concatenating data values in a query is the source of all SQL Injection issues – and simply going LINQ–>ORM will not protect your app against that.
Everything I wanted to detail about this vulnerability was already explained in this post.
Leave a Reply