String interpolation for EFCore and Like
I have had a problem with EF Core and String Interpolation – until I realized that was a problem with sp_executesql
But let’s see the whole problem. ta
EFCore supports string interpolation – that means , if you give this code
<context>.<table>.FromSql($”select blabla from table where id={id}”)
it will transform into
exec sp_executesql N’select blabla from table where id= @p0 ”
‘,N’@p0 int’,@p0=N’200′
And it is very good , because it avoids sql injection . ( Just a note, do not put
$”select blabla from table where id={id}”
into a variable – you WILL have SqlInjection )
Ok. Now I want to do a like – plain simple, right ?
<context>.<table>.FromSql($”select blabla from table where CountryName like ‘%{name}%’ ”)
And I try – and NO RESULT comes. I will into the generated Sql ( by using SqlProfiler from SSMS ) and it gives
exec sp_executesql N’select blabla from table where CountryName like ”%p0%”’,N’@p0 nvarchar(4000)’,@p0=N’france’
Pretty harmless , right ?
And seems ok – until I have executed directly and see that no results come.
So StackOverflow to the rescue : https://stackoverflow.com/questions/3556506/using-like-in-sp-executesql
And so my query in C# have been modified to
<context>.<table>.FromSql($”select blabla from table where where CountryName like ‘%’ + {name} + ‘%'” )
And now it works!
Moral of the story : always investigate the sql generated .
Leave a Reply