Feedback on ASP.NET Web API

entity framework

I noticed that queries generated when annotating a method with Queryable which return an IQueryable<T> obtained from a EF DbSet is not parametrized when using -for example- $filter oData which scare me for two main reasons: SQL injection and performance.

It will be good if you can take this into account and include such feature as part of the final version

1 vote
Vote
Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)
You have left! (?) (thinking…)
Michel Fornaris shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
completed  ·  Daniel Roth responded  · 

The LINQ translator must ensure expressions are safe for all possible literals and either parameterize or appropriately escape constants.

From the performance perspective it’s unlikely that adjusting parameters/constants will cause a big change in performance in current versions of SQL. The server will try to auto-parameterize queries.

1 comment

Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)
Submitting...

Feedback and Knowledge Base