Linq to entities and bind variables

Discussion of open issues, suggestions and bugs regarding Entity Framework support in ADO.NET Data providers
Post Reply
cdsys
Posts: 2
Joined: Thu 30 Jul 2009 11:14
Location: Belgium

Linq to entities and bind variables

Post by cdsys » Thu 30 Jul 2009 11:28

Dear devs,

I've build a small test in VB.Net to evaluate Linq to entities with the dotconnect for Oracle :

Using ent As New AtgEntities
Dim query = From g In ent.GebruikerSet _
Where g.Gebruikersnaam = "Axel F"
For Each gebruiker In query
Console.WriteLine(gebruiker.Gebruikersnaam)
Next
End Using

And in the DBMonitor I get the following statement:

Execute: SELECT
1 AS C1,
"Extent1".GEBRUIKER_ID AS GEBRUIKER_ID,
"Extent1".GEBRUIKERSNAAM AS GEBRUIKERSNAAM,
"Extent1".STATUS_ID AS STATUS_ID
FROM ATG.ATG_GEBR "Extent1"
WHERE 'Axel F' = "Extent1".GEBRUIKERSNAAM

Shouldn't the string 'Axel F' in the statement be replaced with a bind variable (so that no SQL injection could happen, and for better performance)?

Regards.

AndreyR
Devart Team
Posts: 2919
Joined: Mon 07 Jul 2008 13:16

Post by AndreyR » Thu 30 Jul 2009 14:52

I have just tried the same query with Microsoft SQL Server and obtained the similar query in the Profiler.
I recommend you to check the string constant you use in a LINQ to Entities query before constructing the query itself.
This will prevent SQL injections.

oribolzi
Posts: 7
Joined: Sun 26 Feb 2006 21:54
Location: Milano, Italy

Post by oribolzi » Fri 31 Jul 2009 06:33

why not implement bind variables, instead?
there are also serious performance problems to take in account.

AndreyR
Devart Team
Posts: 2919
Joined: Mon 07 Jul 2008 13:16

Post by AndreyR » Tue 04 Aug 2009 08:03

Bind variables are already implemented.
You can simply create a new string variable, assign its value to "Axel F", for example, and use this variable
in the LINQ to Entities query instead of using constant. The generated query will contain a bind parameter.
As for performance troubles, could you please describe the ones you have encountered?

Post Reply