none
Compiled "LINQ To Entities" Query And Sql parameterization RRS feed

  • Question

  • Why this code does not result in a parameterized query? Does the N prefix prevent sql injection?

    private static readonly Func<Context, string, IQueryable<int>> GetUserIdByEmail_Compiled =
                CompiledQuery.Compile<Context, string, IQueryable<int>>(
                    (ctx, userEmail) => ctx.UserSet.Where(u => u.Email == userEmail).Select(u => u.Id));

            public int GetUserIdByEmail(string email)
            {
                return GetUserIdByEmail_Compiled.Invoke(ctx, email).FirstOrDefault();
                //            "SELECT TOP (1)
                //[Extent1].[Id] AS [Id]
                //FROM [dbo].[UserSet] AS [Extent1]
                //WHERE N'abarref1@gmail.com' = [Extent1].[Email]"

            }

    On the other hand, this code generates a diferent (parameterized) query:

    ctx.UserSet.Where(u => u.Email == email).Select(u => u.Id).FirstOrDefault();
                //            "SELECT
                //[Limit1].[Id] AS [Id]
                //FROM ( SELECT TOP (1)
                //    [Extent1].[Id] AS [Id]
                //    FROM [dbo].[UserSet] AS [Extent1]
                //    WHERE [Extent1].[Email] = @p__linq__0
                //)  AS [Limit1]"

     

    Thanks in advance.

    Sunday, January 22, 2012 2:14 PM

Answers

All replies