Reputation: 9943
Parameters vs String interpolation
What is the advantage of using parameters over using string interpolation?
Is this
SELECT * FROM dbo.Posts WHERE Author = @p0", userSuppliedAuthor;
any better than
$@SELECT * FROM dbo.Posts WHERE Author = {userSuppliedAuthor}";
?
Upvotes: 8
Views: 6745
Answers (2)
Reputation: 1596
In addition to SQL injection issues mentioned by Sergey, you can have issues with totally valid strings that contain certain characters, like "'", "." and "@" characters that mean things to SQL and need to be handled. It's always best to parameterize queries to prevent these issues, not only with injection when going straight from user input, but even something as simple as an email address or a possessive in a title.
Upvotes: 2
Reputation: 236268
String interpolation is just a syntax sugar for formatting string. It gives you no protection against SQL injection. You should use SQL parameters to provide values for your query.
Consider - what if userSuppliedAuthor equals to
'Bob' OR 1 = 1
Or even
'Bob'; DROP TABLE Users;
Further reading SQL Injection
Upvotes: 16
Related Questions
- Benefits of use parameters instead of concatenation
- SQL Interpolated Strings
- Interpolating a string stored in a database
- String interpolation using named parameters in C#6
- String Interpolation inside an SQL Command
- Ef Core vs Linq on interpolated string
- String interpolation in raw SQL methods, How is it possible?
- Efficiency of Parameterization vs Building Query
- Interpolated string in database
- Can I use C# string interpolation with Linq to SQL