Reputation: 63
Dapper Order By Parameters
This is a follow-up to this question:
Since parameterization doesn't work in the order by clause with Dapper, what is the recommended method of keeping bobby tables at bay? Does Dapper provide some way to clean these parameters, or is there a recommended regex, etc.
Upvotes: 2
Views: 5493
Answers (1)
Reputation: 1063714
If you mean "ascending vs descending" - pass it in as a boolean or enum value, and append to the tsql accordingly. If you mean "which column" then usually, no matter what mechanics you use to get there, you will end up at some point with a string that is (or should be) a column name. So: just white-list this against a list of the expected column names : job done. Actually, it also wouldn't be uncommon to remap it at the same time - so the string coming in might be "name", but the column could be "Customer_Name" - fine: the lookup can double-up as the whitelist.
Note : all of this is largely unrelated to what tools you are using to get at the actual data, and would work equally on any tooling.
Upvotes: 6
Related Questions
- Doctrine DQL dynamic ORDER BY parameter
- Trying to pass order by clause as parameter
- Parameter in order by clause doesn't order -mysql, C#
- Dapper, SqlBuilder extension and Order By descending
- Dapper Order By
- JPQL ORDER BY clause with parameter
- How to Sort data according to Order by clause using DESC order in dapper extensions?
- Parameterize 'order by' in SQL
- Using SqlParameter to create Order By clause
- Specifying a parameter in C#'s OrderBy methods