Efcore: Migration commands sending data inline instead of using parameters.

Created on 20 May 2020 · 4Comments · Source: dotnet/efcore

I am working on an EFCORE provider and I notice the following behavior:

When seeding some data in the DB using Migration commands from Package Manager Console, the SQL queries created are having the data INLINE, and not using any bind parameters.

Not using bind parameters can cause the following issues:

We cannot control the bind type, if required.
SQL Injection Issues.
If the string contains sensitive information, then tracing out the SQL will also end up tracing out the string containing sensitive information.

I request you to change this behavior so bind parameters are used instead of data being sent inline.

Efcore: Migration commands sending data inline instead of using parameters.

Steps to reproduce