In my WebDD09 talk on Saturday I mentioned SQL injection and LINQ. I’ve had a query about what exactly is the problem with LINQ as I was constrained by time and only mentioned it in passing. Microsoft asserts that LINQ stops SQL injection attacks: LINQ to SQL avoids such injection by using SqlParameter in queries. User input is turned into parameter values. This approach prevents malicious commands from being used from customer input. This is generally true, however LINQ has a problem method – ExecuteQuery. This methodexecutes queries directly on the server which...