Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Suggestion] Support non-value arguments in FromSqlInterpolated

See original GitHub issue

Hello there, sometimes I need to customize my SQL query according to user input, e.g. by using different column names or SQL keywords, such as ASC and DESC.

Here’s a simplified example: the ordering direction is decided by the user.

// User inputs - these come in from the querystring, I sanitized them before use
decimal price = 10.0m;
string direction = "ASC";

// Get results
List<Course> courses = await dbContext.Courses.FromSqlInterpolated(
             $"SELECT * FROM Courses WHERE Price>={price} ORDER BY Price {direction}" //here is a non-value
             ).ToListAsync();

As you can see, the direction argument is not a value. Since it’s a SQL keyword, it must not become a DbParameter. How can I instruct the FromSqlInterpolated method to format it as-is instead of making it a DbParameter?

If this is not supported already (docs don’t seem to mention it), how about a simple type cast to discriminate between values and non-values?

$"SELECT * FROM Courses WHERE Price>={price} ORDER BY Price {(NotValue) direction}"

Thanks Moreno

Issue Analytics

State:
Created 2 years ago
Comments:5 (3 by maintainers)

Top GitHub Comments

1reaction

rojicommented, Apr 25, 2021

Well, if we added a raw-interpolation option to FromSqlInterpolated (which is basically what this would mean), that would make it pretty much as risky as FromSqlRaw… It seems better to keep FromSqlInterpolated 100% safe. In addition, I’m not sure how something like that would technically work; it seems you want to somehow configure - on a case-by-case basis - if interpolation should lead to database parameterization (safe) or string interpolation (raw, unsafe). I’m not aware of a way to do that with C# string interpolation - am I missing something?

0reactions

BrightSoulcommented, Apr 26, 2021

it seems you want to somehow configure - on a case-by-case basis - if interpolation should lead to database parameterization (safe) or string interpolation (raw, unsafe)

@roji Yes, exactly. It’d be flexible and still safer than relying on FromSqlRaw, since the programmer would have to knowingly and explicitly choose which (few) arguments should be opted-out of parametrization.

I’m not aware of a way to do that with C# string interpolation

Indeed, it cannot be done with a language construct, unfortunately but it could be implemented around here in the QuerySqlGenerator as follows:

If the argument is some ad-hoc container type, then interpolate its contained value;
Parametrize in all other cases.

Now that I give a better look at the code, It seems to me that this “ad-hoc container type” I mentioned already exist. It could be the SqlConstantExpression. In fact, it gets special treatment in the QuerySqlGenerator here. https://github.com/dotnet/efcore/blob/ac2bb48b10ecf1289b568a94b7a35e8075c6d787/src/EFCore.Relational/Query/QuerySqlGenerator.cs#L384-L392

If I can read this correctly, the SqlConstantExpression contained value is printed, instead of a new parameter being added to the command, i.e. the exact behavior I was after. I tried experimenting with it but without success so far.