score:1
if you want to build your own provider, you must know that it is not that easy. consider things like nested select, nested where, etc. there are great blog posts on this topic.
but you are interested in protecting your database against sql injection. so if you look at the sample code on this page and the visitconstant method, that's the place where you run into constants of value type (string, int, etc.) or iqueryable.
protection against sql injections is not complicated, you just create new sqlparameter or you call method dbproviderfactory.createparameter described here. you will need some collection to store your parameters while you are traversing the expression tree. so the modified code will look like this:
protected override expression visitconstant(constantexpression c) {
iqueryable q = c.value as iqueryable;
if (q != null) {
// assume constant nodes w/ iqueryables are table references
sb.append("select * from ");
sb.append(q.elementtype.name);
}
else if (c.value == null) {
sb.append("null");
}
else {
switch (type.gettypecode(c.value.gettype())) {
case typecode.boolean:
param = dbprovider.createparameter();
param.name = "@param" + paramslist.count;
param.value = (((bool)c.value) ? 1 : 0;
paramslist.add(param);
sb.append(param.name);
break;
case typecode.string:
param = dbprovider.createparameter();
param.name = "@param" + paramslist.count;
param.value = c.value; // you don't have to care about escaping or formatting
paramslist.add(param);
sb.append(param.name);
break;
...
case typecode.object:
throw new notsupportedexception(string.format("the constant for '{0}' is not supported", c.value));
default:
sb.append(c.value);
break;
}
}
return c;
}
so while you are travesing the expression tree, you are building the sql string and collecting the sql parameters.
score:2
from the blog post it looks like iq toolkit (or the initial version of the toolkit) is not safe from sql injection attacks. but you can verify it by yourself - execute a query, capture the generated sql and see if there are parameters used.
Source: stackoverflow.com
Related Query
- IQueryable LINQ provider and SQL injection?
- SQL subquery result in LINQ and Entity Framework Code First
- Linq to sql and sql injection attacks
- Optimise and speed up very slow Linq / SQL code
- How to write SQL translateable linq code that groups by one property and returns distinct list
- Instantiate empty IQueryable for use with Linq to sql
- LINQ to SQL using GROUP BY and COUNT(DISTINCT)
- Will using LINQ to SQL help prevent SQL injection
- How are people unit testing code that uses Linq to SQL
- LINQ to SQL and a running total on ordered results
- Odd behavior in LINQ to SQL with anonymous objects and constant columns
- Translate SQL to lambda LINQ with GroupBy and Average
- How to Convert Row to Column in Linq and SQL
- Linq To SQL and Having
- LINQ to SQL in and not in
- Linq to SQL using group By, and order by count
- Simple sql to Linq query with group by and aggregate functions
- Enumerable.Empty<T>().AsQueryable(); This method supports the LINQ to Entities infrastructure and is not intended to be used directly from your code
- Linq "Could not translate expression... into SQL and could not treat it as a local expression."
- NHibernate Linq provider and take() skip() with eager fetching
- Separating concerns with Linq To SQL and DTO's
- Best open source LINQ provider
- LINQ to SQL - How to efficiently do either an AND or an OR search for multiple criteria
- LINQ to SQL *compiled* queries and when they execute
- How to intercept and modify SQL query in Linq to SQL
- SQL Query to LINQ syntax using not exist and join
- LINQ to SQL - Compile error when extending data context with partial class and methods
- Linq to SQL Group by and Sum in Select
- Performing part of a IQueryable query and deferring the rest to Linq for Objects
- SUM and COUNT in single LINQ to SQL query
More Query from same tag
- Cannot get correct results from Linq query
- Maximum number of occurrences a character appears in an array of strings
- Check if queryable is null before assigning a list
- C#: Net Core 3.1 Contains Linq causes Client Side Exception Error
- Update List of classes with data from a list of classes
- AutoMapper for Func's between selector types
- get specific string pattern
- Linq and Async Lambdas
- At least one object must implement IComparable calling OrderBy()
- Conversion SQL to LINQ
- Predicate or Dynamic Linq that can return from different object sets?
- how to bind the dropdown list
- Can't do multiple groups in MongoDB C# Driver
- Grouping including non grouped field using Linq/Lambda
- Remove Duplicate XML Records
- How can I get n items of IPublishedContent in Umbraco 7
- Set List data for property from other function in Linq?
- Find element in a list that is contained in another class sub-list
- Using Linq's Where/Select to filter out null and convert the type to non-nullable cannot be made into an extension method
- Find third Max salary using Linq
- How to select only those records from collection which have relation with another table using Linq
- Using Linq to select multiple items per iteration?
- Find list value against certain key in Dictionary
- How can I find out if a strongly typed table contains a value from another strongly typed table in C# using Linq
- Is this possible to change or set the Padding Color of a Windows Form?
- Remove node from XDocument
- How to convert UTC datetime column to local time in datagridview?
- How can I write the nested linq query
- EF CORE Select distinct grandchildren with many-to-may relationship
- Linq - Grouping by date and selecting count
