How can I validate data against injection attack when tables are varchar()

A lot of the tables at my company don't type input when they should. For example, many tables are keyed with varchar(##) when the only valid values are int. Due to a list of now cemented in dependencies, I simply cannot just go flipping all the data types.

So, in the short term I want to provide some manner of validating data to prevent Bobby Drop Tables from stopping by for a visit.

In this particular case I should be running read queries. I need to validate the Order property:

public class Model
{
    public string Order { get; set; } // In DB this is a varchar(20)

    public aType Read()
    {
          var result = from a in table
          where a.Column == Order;
          select new { 开发者_JS百科... };
    }
}

How can I validate user input against my Model?

Both Linq2Sql and Linq2Entities uses sql-parameters behind the scenes to pass any variables in the queries. You won't get any SQL injection attacks, but someone might be able to insert a string that is not just numerical characters.

One way to make sure you can only insert "numerical" strings is to create a constraint in the database. That will make sure all applications that uses the database behaves correctly, but does not force them to change datatypes.

Edit
If you use Linq2Sql and you want to have a check within your application you can implement the partial method OnValidate on the specific type in your Linq-context.

Using LINQ, the way you're using it, prevents SQL injection.

As long as you're using parametrized queries, you're in the clear.