I noticed that queries generated when annotating a method with Queryable which return an IQueryable<T> obtained from a EF DbSet is not parametrized when using -for example- $filter oData which scare me for two main reasons: SQL injection and performance.
It will be good if you can take this into account and include such feature as part of the final version
The LINQ translator must ensure expressions are safe for all possible literals and either parameterize or appropriately escape constants.
From the performance perspective it’s unlikely that adjusting parameters/constants will cause a big change in performance in current versions of SQL. The server will try to auto-parameterize queries.
Michel Fornaris commented
It will be good if parametrized query is added as part of this release for oData filtering