Reputation: 1001
EF Core raw query with Like clause
I want to create queries using EF FromSqlInterpolated or FromSqlRaw that allows me to use Like clauses, but I don't know what is the right way to do it without opening the application to SqlInjection attacks. One first approach has took me to the following code
var results = _context.Categories.FromSqlInterpolated(
$"Select * from Category where name like {"%" + partialName + "%"}");
First test worked fine, it returns results when providing expected strings, and returns nothing when i provide something like ';select * from Category Where name='Notes'--%';
Still I don't know much about SqlInjection, at least not enough to feel safe with the query shown before.
Does someone know if the query is safe, or if there is a right way to do it?
Thanks
Upvotes: 2
Views: 1859
Answers (1)
Reputation: 14228
From this document
The FromSqlInterpolated and ExecuteSqlInterpolated methods allow using string interpolation syntax in a way that protects against SQL injection attacks.
var results = _context.Categories.FromSqlInterpolated(
$"Select * from Category where name like {"%" + partialName + "%"}");
Or you can also change your query to Linq-to-Entity like this way
var results = _context.Categories.Where(p => p.name.Contains(partialName ));
Upvotes: 5
Related Questions
- How to execute RAW SQL Query with EF Core?
- How to do a LIKE in Entity Framework CORE (not full .net)
- EF core query could not be translated
- "like" queries in Entity Framework
- How can I avoid SQL injection in this EF Core query?
- EF Core MySQL Contains(variable) like operator
- How do I do a "like" wildcard comparison in Entity Framework in .NET 4.0?
- Using LIKE operator in LINQ to Entity
- How to write a dynamic where 'like' query in Entity framework?
- LIKE query in Entity Framework with SQL Server Compact 4.0