Linq to entities and bind variables

cdsys · Post by **cdsys** » Thu 30 Jul 2009 11:28

Dear devs,

I've build a small test in VB.Net to evaluate Linq to entities with the dotconnect for Oracle :

Using ent As New AtgEntities
Dim query = From g In ent.GebruikerSet _
Where g.Gebruikersnaam = "Axel F"
For Each gebruiker In query
Console.WriteLine(gebruiker.Gebruikersnaam)
Next
End Using

And in the DBMonitor I get the following statement:

Execute: SELECT
1 AS C1,
"Extent1".GEBRUIKER_ID AS GEBRUIKER_ID,
"Extent1".GEBRUIKERSNAAM AS GEBRUIKERSNAAM,
"Extent1".STATUS_ID AS STATUS_ID
FROM ATG.ATG_GEBR "Extent1"
WHERE 'Axel F' = "Extent1".GEBRUIKERSNAAM

Shouldn't the string 'Axel F' in the statement be replaced with a bind variable (so that no SQL injection could happen, and for better performance)?

Regards.

AndreyR · Post by **AndreyR** » Thu 30 Jul 2009 14:52

I have just tried the same query with Microsoft SQL Server and obtained the similar query in the Profiler.
I recommend you to check the string constant you use in a LINQ to Entities query before constructing the query itself.
This will prevent SQL injections.

oribolzi · Post by **oribolzi** » Fri 31 Jul 2009 06:33

why not implement bind variables, instead?
there are also serious performance problems to take in account.

AndreyR · Post by **AndreyR** » Tue 04 Aug 2009 08:03

Bind variables are already implemented.
You can simply create a new string variable, assign its value to "Axel F", for example, and use this variable
in the LINQ to Entities query instead of using constant. The generated query will contain a bind parameter.
As for performance troubles, could you please describe the ones you have encountered?