Reading this interesting article about SQL injection prevention in EF Core, I found out that now an interpolated string may result in a FormattableString.
Running this test code in .NET Core 2.2:
public static void Main()
{
var filter = "Mark'; DROP TABLE tbl; --";
Console.WriteLine(FromSql("SELECT * FROM tbl WHERE fld = '" + filter + "'"));
Console.WriteLine(FromSql($"SELECT * FROM tbl WHERE fld = {filter}"));
Console.WriteLine(FromSql(FormattableStringFactory.Create(
"SELECT * FROM tbl WHERE fld = {0}", filter)));
}
private static string FromSql(string sql) => sql;
private static string FromSql(FormattableString sql)
{
var formatArgs = sql.GetArguments();
for (var paramIndex = 0; paramIndex < sql.ArgumentCount; ++paramIndex)
formatArgs[paramIndex] = "@p" + paramIndex;
return sql.ToString();
}
is not giving what I expected:
SELECT * FROM tbl WHERE fld = 'Mark'; DROP TABLE tbl; --'
SELECT * FROM tbl WHERE fld = Mark'; DROP TABLE tbl; --
SELECT * FROM tbl WHERE fld = @p0
The second print should output like the last one.
Try this is fiddle.
What am I missing?
Your second call
Console.WriteLine(FromSql($"SELECT * FROM tbl WHERE fld = {filter}"));looks to be going to theFromSql(string sql)overload instead ofFromSql(FormattableString sql).Just remove the
FromSql(string sql)method (and the first call to it),and it will go as expected; see the modified Fiddle.
The compiler seems to translate
var q = $"SELECT * FROM tbl WHERE fld = {filter}";to astring.Because of the
stringtype, aString.Formathas taken place.From the documentation:
Whereas explicitly specifying
FormattableStringas ina
FormattableStringFactory.Createis being used.From the documentation: