Entityframework.docs: Does this mean string interpolation syntax is safe?

Created on 19 Nov 2018  Â·  8Comments  Â·  Source: dotnet/EntityFramework.Docs

var user = "johndoe";
var blogs = context.Blogs
.FromSql($"EXECUTE dbo.GetMostPopularBlogsForUser {user}")
.ToList();

Is this protected from SQL injection attach?

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

closed-question
Source
picture nicholasyin
👍1

Most helpful comment

Both '$@' (verbatim string interpolation) and '$' produce FormattableString. The problem is operations on FormattableString can produce a string and the EFCore overload that takes
FormattableString won't be invoked, which is a pretty subtle way to introduce SQL injection bugs.

            var x = 1;
            FormattableString a = $"{x}"; // this compiles fine
            string  b = $"{x}"; // also compiles fine
            FormattableString c =  $"{x}".ToString(); // compilation error
            string d = a + a; // compilation error 
            string e = a + b; // compiles fine (ooops!)
picture kayjtea on 22 Jul 2019
👍3

All 8 comments

Yes. Source: https://docs.microsoft.com/en-us/ef/core/what-is-new/ef-core-2.0#string-interpolation-in-fromsql-and-executesqlcommand

dalion619 picture dalion619 on 26 Nov 2018

So why VS I still shows a warning "The SQL expression passed to 'ExecuteSqlCommand' embeds data that will not be parameterized"?

marekpetak picture marekpetak on 22 Jan 2019

Multiple reasons to why VS would do that.

Maybe this can help with an explanation.
https://github.com/aspnet/EntityFrameworkCore/issues/10080

dalion619 picture dalion619 on 22 Jan 2019

But concatenation, e.g.
_appDbContext
.Database
.ExecuteSqlCommand($"INSERT INTO tblclauditlog (tablename, fieldname, recordid) " +
$"VALUES ({tableName},{fieldName},{recordId})");

Is not?

Wish it was to enable tidier code.

ASKemp picture ASKemp on 11 Feb 2019

NO NO NO, please PLEASE fix this documentation!!!! Interpolation results in injection vulnerability - the evaluation of the string interpolation is executed before the parameter is passed into the method call. The FormattableString is what is used in the example linked to from above, NOT interpolation!!!
See this page:
https://cmatskas.com/ef-core-string-interpolation-and-sql-injection/

I REPEAT in this document the example is using the FormattableString syntax, and calling is interpolation, BAD:
https://docs.microsoft.com/en-us/ef/core/what-is-new/ef-core-2.0#string-interpolation-in-fromsql-and-executesqlcommand
They are using the FormattableString syntax, NOT String interpolation:
var rawSql = $@"Select * from table where columnName = {varIn}";

ronniedepriest picture ronniedepriest on 11 Jun 2019

@ronniedepriest from the links you gave, the only difference I can tell is the use of '$@' instead of '$'. Did you mean using '$@' will generate auto parameterization?

ghost picture ghost on 13 Jun 2019

Both '$@' (verbatim string interpolation) and '$' produce FormattableString. The problem is operations on FormattableString can produce a string and the EFCore overload that takes
FormattableString won't be invoked, which is a pretty subtle way to introduce SQL injection bugs.

            var x = 1;
            FormattableString a = $"{x}"; // this compiles fine
            string  b = $"{x}"; // also compiles fine
            FormattableString c =  $"{x}".ToString(); // compilation error
            string d = a + a; // compilation error 
            string e = a + b; // compiles fine (ooops!)
kayjtea picture kayjtea on 22 Jul 2019
👍3

No longer relevant for 3.0.

ajcvickers picture ajcvickers on 30 Aug 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

MCcoder52 picture MCcoder52  Â·  3Comments
CubeSpark picture CubeSpark  Â·  3Comments
CeciAc picture CeciAc  Â·  4Comments
divega picture divega  Â·  3Comments
divega picture divega  Â·  4Comments