http://ayende.comAyende @ RahienCopyright (C) Ayende Rahien 2004 - 2021 (c) 202660Alex, Yes, it isn't a major issue, although I think that I _can_ get it to generate a SQL injection if I was using MySQL. It is not much of an injection, though, if it has to be compiled to get there. Do you have any idea what was the reasons for this decision? http://ayende.com/4287/chasing-the-sql-injection-that-never-was#comment9http://ayende.com/4287/chasing-the-sql-injection-that-never-was#comment9Thu, 12 Nov 2009 18:06:09 GMTI learned of this distinction for the first time while showing some Generated SQL to some SQL Server MVPs at the MVP summit in 2007! A mild panic attack followed. But all is well that ends well. I personally think both inlining or using a parameter for constants is fine. Alex http://ayende.com/4287/chasing-the-sql-injection-that-never-was#comment8http://ayende.com/4287/chasing-the-sql-injection-that-never-was#comment8Thu, 12 Nov 2009 18:03:19 GMTSo everything rob said was wrong?... http://ayende.com/4287/chasing-the-sql-injection-that-never-was#comment7http://ayende.com/4287/chasing-the-sql-injection-that-never-was#comment7Thu, 12 Nov 2009 15:50:48 GMTI have done a lot of logging for Linq-to-SQL and it does not do this. In fact, Linq-to-Entities is the only ORM Linq provider I have seen that does that. I think it is a bad decision because you will get different execution plans for different length constants. http://ayende.com/4287/chasing-the-sql-injection-that-never-was#comment6http://ayende.com/4287/chasing-the-sql-injection-that-never-was#comment6Thu, 12 Nov 2009 02:44:03 GMTIf the constant parameter contains a single quote, I guess it will nicely escape it in the SQL query itself. If something is constant, then it is better to actually use it as a constant in the SQL query itself, instead of a parameter. When a constant is used, the statistics of the column will be included in deciding on which path to take. In case of a parameter, only the index selectivity will be used in deciding on the query plan. http://ayende.com/4287/chasing-the-sql-injection-that-never-was#comment5http://ayende.com/4287/chasing-the-sql-injection-that-never-was#comment5Wed, 11 Nov 2009 23:23:26 GMTRob, NHibernate does _not_ do it that way, though. It makes everything a parameter http://ayende.com/4287/chasing-the-sql-injection-that-never-was#comment4http://ayende.com/4287/chasing-the-sql-injection-that-never-was#comment4Wed, 11 Nov 2009 19:31:43 GMTYep - Linq to Sql does the same thing. If it sees a ConstantExpression it just puts the value straight in with the thinking that it was set programmatically. So with our NHibernate stuff we did the other day where we set the CategoryID==33, it would put 33 in the query. A bit weird when you consider the mandate to scrub everything, but at the same time I think it's generally OK. http://ayende.com/4287/chasing-the-sql-injection-that-never-was#comment3http://ayende.com/4287/chasing-the-sql-injection-that-never-was#comment3Wed, 11 Nov 2009 19:11:31 GMTSo.. would there be a special reason for this design? http://ayende.com/4287/chasing-the-sql-injection-that-never-was#comment2http://ayende.com/4287/chasing-the-sql-injection-that-never-was#comment2Wed, 11 Nov 2009 18:37:56 GMTYes, that is normal behavior for EF. http://ayende.com/4287/chasing-the-sql-injection-that-never-was#comment1http://ayende.com/4287/chasing-the-sql-injection-that-never-was#comment1Wed, 11 Nov 2009 13:56:30 GMT