Is the generated code vulnerable to SQL injection attacks?

Aglaia avatar
LLBLGen Pro Team
Posts: 535
Joined: 07-Sep-2003
# Posted on: 21-Aug-2007 13:18:56   

Question: LLBLGen Pro generates SQL on the fly and doesn't use stored procedures to do its database operations. Aren't these queries vulnerable for SQL injection attacks? ** Solution:** All SQL generated by LLBLGen Pro is parameterized. This means that no values are embedded into the SQL query being generated. Due to the parameters, a value can never influence the query being executed, as the value will never be part of the query itself, but just a value of a parameter. The generated code is therefore not vulnerable for SQL injection attacks.