LINQ to SQL Security

May 9, 2008

The security for LINQ to SQL is in the app.config/web.config. It is similar like how people do it using ADO.net, writing connection string in the config file. So, people can still put the security configuration at the configuration file.

Example:

 

try

            {

                string connectionString = @”Data Source=server_name;database=database_name;Integrated Security=True;”;

                using (SqlConnection connection = new SqlConnection(connectionString))

                {

                    connection.Open();

                    Mydb db = new Mydb(connection);

             var q =  from c in db.Customers
                          where c.CustomerID.StartsWith(”A”)
                          select new { c.CustomerID, c.Phone };

 foreach(var c in q)
    Debug.WriteLine(c);
                }

            }

            catch (Exception ex)

            {

                MessageBox.Show(ex.Message);

            }

 

The default behavior for LINQ to SQL is to open/close the connection for every query or operation, unless there is a transaction in scope or the connection was already open.

 You can control when & where the connection is opened and close, you openning and closing it yourself.

Some security Q&A:

Q. How is LINQ to SQL protected from SQL-injection attacks?

A. SQL injection has been a significant risk for traditional SQL queries formed by concatenating user input. LINQ to SQL avoids such injection by using SqlParameter in queries. User input is turned into parameter values. This approach prevents malicious commands from being used from customer input.

 Q. How do I eliminate setters from some properties when I create an object model from a DBML file (mark the .dbml file as read-only)?
A. Take the following steps for this advanced scenario:
1.       In the .dbml file, modify the property by changing the IsReadOnly flag to True.
2.       Add a partial class. Create a constructor with parameters for the read-only members.
3.       Review the default UpdateCheck value (Never) to determine whether that is the correct value for your application.
For more LINQ Q&A, please visit this site: http://msdn.microsoft.com/en-us/library/bb386929.aspx

Entry Filed under: Developer Technologies, Tips & Tricks, Visual Studio 2008. Tags: , .

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Trackback this post  |  Subscribe to the comments via RSS Feed

Links

Tags

Archives