I have a data-driven website where the user can enter some strings on one page that goes into a database. I am using LINQ for all inserts and updates, so I think that part is safe. The entered-data is then displayed back to users on another page.
When outputting the data, I am not yet using LINQ (not sure if I need to), and I have some "SELECT" statements, similar to this:
SELECT Name, Description FROM Table WHERE ID=something
My question is: If the "Name" or "Description" data in the above statement contain malicious code, is SQL injection possible in that context?
All my SELECT statements with a "WHERE" clause are definitely only comparing numbers, so I think that part is safe. Cheers.
As long as you aren't creating the SQL statements themselves from the user input, you are ok.
For example if you did the following:
var sqlStatement = "SELECT " + Name + "FROM Table WHERE ID=something";
And used that, it would definitely introduce an opportunity for SQL injection attacks.