Eliminate SQL Injection Attacks Painlessly with LINQ

s web application security breaches and attempts rise, developers are increasingly being asked to take more responsibility for the security of their applications, and application framework vendors are building more robust security features into their platform software. Many developers have learned that the most effective way to build secure applications and prevent damaging attacks is to design and implement the applications securely from the beginning. Unfortunately, development teams often lack the training and resources to make educated design decisions about application security.

As developers assume more of the security burden, the first web application vulnerability that many developers learn about is a particularly dangerous form of command injection known as SQL injection. Command injection in its archetypal form is any vulnerability that allows an attacker to run an unintended command on your server by providing unanticipated input that alters the way you intended the web application to run. Because it's so well-known, SQL injection attacks are common, dangerous, and pervasive. Fortunately, you can prevent SQL injection easily once you understand the problem. Even better, a new Microsoft data access technology offers .NET developers the opportunity to eliminate SQL injection vulnerabilities altogether—when used properly. That technology is called Language Integrated Query (LINQ), and it will ship in the upcoming release of Visual Studio "Orcas" and .NET Framework 3.5. This article explores LINQ's potential for hardening your web application's data access code so that it's impossible to attack through SQL Injection.