Devart Forums

Discussion forums for open issues and questions concerning database tools, data access components and developer tools from Devart
https://forums.devart.com/

Linq to entities and bind variables

https://forums.devart.com/viewtopic.php?f=30&t=15463

Page 1 of 1

Linq to entities and bind variables

Posted: Thu 30 Jul 2009 11:28
by cdsys
Dear devs,

I've build a small test in VB.Net to evaluate Linq to entities with the dotconnect for Oracle :

Using ent As New AtgEntities
Dim query = From g In ent.GebruikerSet _
Where g.Gebruikersnaam = "Axel F"
For Each gebruiker In query
Console.WriteLine(gebruiker.Gebruikersnaam)
Next
End Using

And in the DBMonitor I get the following statement:

Execute: SELECT
1 AS C1,
"Extent1".GEBRUIKER_ID AS GEBRUIKER_ID,
"Extent1".GEBRUIKERSNAAM AS GEBRUIKERSNAAM,
"Extent1".STATUS_ID AS STATUS_ID
FROM ATG.ATG_GEBR "Extent1"
WHERE 'Axel F' = "Extent1".GEBRUIKERSNAAM

Shouldn't the string 'Axel F' in the statement be replaced with a bind variable (so that no SQL injection could happen, and for better performance)?

Regards.

Posted: Thu 30 Jul 2009 14:52
by AndreyR
I have just tried the same query with Microsoft SQL Server and obtained the similar query in the Profiler.
I recommend you to check the string constant you use in a LINQ to Entities query before constructing the query itself.
This will prevent SQL injections.

Posted: Fri 31 Jul 2009 06:33
by oribolzi
why not implement bind variables, instead?
there are also serious performance problems to take in account.

Posted: Tue 04 Aug 2009 08:03
by AndreyR
Bind variables are already implemented.
You can simply create a new string variable, assign its value to "Axel F", for example, and use this variable
in the LINQ to Entities query instead of using constant. The generated query will contain a bind parameter.
As for performance troubles, could you please describe the ones you have encountered?
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/