Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Parameters vs String interpolation

Tags:

c#

sql

What is the advantage of using parameters over using string interpolation?

Is this

SELECT * FROM dbo.Posts WHERE Author = @p0", userSuppliedAuthor;

any better than

$@SELECT * FROM dbo.Posts WHERE Author = {userSuppliedAuthor}";

?

like image 266
nPcomp Avatar asked Jan 31 '17 14:01

nPcomp

People also ask

What is string interpolation and how does it work?

When an interpolated string is resolved to a result string, items with interpolation expressions are replaced by the string representations of the expression results. This feature is available starting with C# 6. String interpolation provides a more readable, convenient syntax to format strings. It's easier to read than string composite formatting.

Is there a compile time relationship between string arguments and string interpolation?

There’s no compile-time relationship between a format string and its arguments. String interpolation improves on that, so we’re taking advantage of it. We’re declaring the intent of our code as explicitly as possible so that future developers can easily understand what they’re about to modify.

What is an interpolated string in C?

C# language specification. See also. The $ special character identifies a string literal as an interpolated string. An interpolated string is a string literal that might contain interpolation expressions. When an interpolated string is resolved to a result string, items with interpolation expressions are replaced by the string representations ...

What happens when an interpolated string is resolved to a string?

When an interpolated string is resolved to a result string, items with interpolation expressions are replaced by the string representations of the expression results. This feature is available starting with C# 6.

Video Answer

2 Answers

String interpolation is just a syntax sugar for formatting string. It gives you no protection against SQL injection. You should use SQL parameters to provide values for your query.

Consider - what if userSuppliedAuthor equals to 

'Bob' OR 1 = 1

Or even

'Bob'; DROP TABLE Users;

Further reading SQL Injection

like image 81
Sergey Berezovskiy Avatar answered Oct 07 '22 09:10

Sergey Berezovskiy

In addition to SQL injection issues mentioned by Sergey, you can have issues with totally valid strings that contain certain characters, like "'", "." and "@" characters that mean things to SQL and need to be handled. It's always best to parameterize queries to prevent these issues, not only with injection when going straight from user input, but even something as simple as an email address or a possessive in a title.

like image 37
Andrew Avatar answered Oct 07 '22 09:10

Andrew
Sign in to Comment

Related questions

Get short claim type name
Call controller's action method from middleware
SignalR WebSocket handshake: Sec-WebSocket-Accept header is missing
Convert 12-hour format to 24-hour format in C#
The type or namespace MongoServer could not be found
c# call a method whenever another method ends?
Expression vs nameof
How to register Windows Forms with Simple Injector
Cannot implicitly convert 'System.TimeSpan?' to 'System.TimeSpan'
Error with SalesForce authentication from C# Client(s)
ASP.NET Core + IIS Express how to setup SSL Certificate
Using .net core, how can i show the html content coming from database on view
Why don't the images don't show up on my ASP.Net core website?
Is it possible to reduce the length of DateTime.Now.Ticks.ToString("X") and still maintain uniqueness?
Enumerable.Empty<T>() equivalent for IList? [duplicate]
Cast List<object> to List<myclass> c#
In Unity, can I expose C# *Properties* in the Inspector Window?
Mongodb group aggregation using ProjectionDefinition with c# driver
How to know if error from dotnet build command with powershell
Why i'm getting error Cannot await 'void'?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!