GithubHelp home page GithubHelp logo

Comments (4)

roji avatar roji commented on June 18, 2024

That is all covered in the docs: columns/table names cannot be parameterized in databases, so you must use string interpolation to construct your SQL, and that can vulnerable to SQL injection. What point exactly do you think isn't covered in the docs?

from efcore.pg.

Millarex avatar Millarex commented on June 18, 2024

I apologize for the incorrect test example with the table name. I will give an example from real code, where there is no reference to table names or any other part of the schema.
Used Npgsql.EntityFrameworkCore.PostgreSQL.NetTopologySuite 8.0.0

This code have EF1002 warning, but work correct. How can I rewrite the code correctly so that I don't get EF1002?

var point = new Point(10, 10);
var tolerance = 50;
var wktPoint = point.ToText().Replace(",", "");
var bufferedPoint = await dbContext.Database
    .SqlQueryRaw<Geometry>($"SELECT ST_Buffer(ST_GeogFromText('{wktPoint}'), {tolerance}, 8) as \"Value\"")
    .FirstOrDefaultAsync(cancellationToken: cancellationToken);

I try this, but have error.

var point = new Point(10, 10);
var tolerance = 50;
var wktPoint = point.ToText().Replace(",", "");
var bufferedPoint = await dbContext.Database
     .SqlQueryRaw<Geometry>("SELECT ST_Buffer(ST_GeogFromText('@wktPoint'), @tolerance, 8) as \"Value\""
     ,new NpgsqlParameter<string>("wktPoint",wktPoint),new NpgsqlParameter<int>("tolerance",tolerance))
     .FirstOrDefaultAsync();

from efcore.pg.

roji avatar roji commented on June 18, 2024

Why are you using SqlQueryRaw as opposed to SqlQuery, which provides parameter safety?

from efcore.pg.

Millarex avatar Millarex commented on June 18, 2024

I understood what the problem was. I called the method like this and got an error. I didn’t notice that this construction is not string interpolation. Single quotes '{wktPoint}' played a cruel joke on me. Thank you for helping me figure out the problem, sorry for wasting your time

.SqlQuery<Geometry>($"SELECT ST_Buffer(ST_GeogFromText('{wktPoint}'), {tolerance}, 8) as \"Value\"")
//valid variant
.SqlQuery<Geometry>($"SELECT ST_Buffer(ST_GeogFromText({wktPoint}), {tolerance}, 8) as \"Value\"")

from efcore.pg.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.