这种基于LINQ的搜索是否可以安全地防止SQL注入/ XSS攻击？

Question

请参考以下数据库搜索教程,并建议搜索方法是否安全,特别是因为它从文本框中获取输入.

http://net.tutsplus.com/tutorials/asp-net/enabling-search-functionality-in-your-site-using-the-new-features-in-aspnet-35/

Protected Sub btnSubmit_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnSubmit.Click  

    Dim db As New BlogDBDataContext()  

    Dim q = From b In db.Blogs _  
            Where b.BlogContents.Contains(txtSearch.Text.Trim()) Or _  
                  b.BlogTitle.Contains(txtSearch.Text.Trim()) _  
            Select b  

    lv.DataSource = q  
    lv.DataBind()
End Sub  

Answer 1

是的,那是安全的.除非您自己创建SQL,否则您不会受到使用LINQ的SQL注入攻击的风险,例如,如果您使用SQL ExecuteQuery.