SQL injection concerns

asp.net, asp.net-mvc, entity-framework, sql-injection

ok i use this route

routes.MapRoute(            "Catalog/Data",            "Catalog/{*data}",            new { controller = "Catalog", action = "Category", data = "" }            );

the Url looks something like http://localhost/Catalog/Computer/Harddrives/internal

Data beening the Computer/Harddrives/internal part

i split it apart and validate the route
here is where my concerns are, atm i do not check for sql injection

i check the route by getting the category from the database using enitity framework
with this function

public Category GetByRoute(string Route)    {        return (from c in XEntity.CategorySet                    .Where(c => c.Route == Route)                    .Where(c => c.IsEnabled == true)                select c).FirstOrDefault();    }

should i be worried about sql injection with this?

Best Solution

Linq2Sql and the Entity Framework use SQL parameters (except for one edge case) so you'll be fine.

In your case you're actually using Linq over the CategorySet, and linq is executed locally in this case, so it's CategorySet that's touching the database, the where constraints run after (I believe). Again in this case there's no problem.