Hacker News new | past | comments | ask | show | jobs | submit login

It’s incredibly simple to parameterize plain ADO.NET SQL statements as well; LINQ and EF are not required to prevent SQL injection when working in C#/.Net.



I guess I wasn't clear. Most advances in security don't make it much easier to write secure code. They make it hard to write insecure code. And I'm not arguing LINQ makes it much easier to write secure code(that was already pretty easy), but it makes it much harder to write insecure code.

Imagine you tasked two rooms of 100 jr devs to query a database, one with EF, one with ADO.NET. Do you honestly think the same percentage of jr devs would have written code open to SQL injection?

string queryString = "SELECT ProductID, UnitPrice, ProductName from dbo.products " + $"WHERE ProductName = {userSuppliedName} " + "ORDER BY UnitPrice DESC;"; SqlCommand command = new SqlCommand(queryString, connection); SqlDataReader reader = command.ExecuteReader();

I've met a ton of devs who would write this code without thinking(some even with quite a few years of experience.)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: