FromSqlInterpolated, ExecuteSqlInterpolated SQL Injection Free

Creates a LINQ query based on an interpolated string representing a SQL query.

If the database provider supports composing on the supplied SQL, you can compose on top of the raw SQL query using LINQ operators:

context.Blogs.FromSqlInterpolated($"SELECT * FROM dbo.Blogs").OrderBy(b => b.Name)

As with any API that accepts SQL it is important to parameterize any user input to protect against a SQL injection attack. You can include interpolated parameter place holders in the SQL query string. Any interpolated parameter values you supply will automatically be converted to a DbParameter:

context.Blogs.FromSqlInterpolated($"SELECT * FROM [dbo].[SearchBlogs]({userSuppliedSearchTerm})")

In particular, never pass a concatenated or interpolated string ($"") with non-validated user-provided values into FromSqlRaw or ExecuteSqlRaw. The FromSqlInterpolated and ExecuteSqlInterpolated methods allow using string interpolation syntax in a way that protects against SQL injection attacks.

Add Comment