String Interpolation in Entity Framework Raises Concerns

| by Jonathan Allen Follow 594 Followers on Sep 18, 2017. Estimated reading time: 1 minute |

One of the new features in Entity Framework Core 2 is the ability to automatically convert interpolated strings into parameterized SQL. Though designed to avoid problems with poorly written SQL, it is feared that it may actually lead to more SQL injection attacks.

Here is an example of string interpolation working correctly:

var city = "Redmond";
context.Customers.FromSql($"SELECT * FROM Customers WHERE City = {city}");
SELECT * FROM Customers WHERE City = @p0

And here is a slightly modified version that doesn’t work:

var city = "Redmond";
var sql = $"SELECT * FROM Customers WHERE City = {city}";
SELECT * FROM Customers WHERE City = Redmond

The simple act of storing an expression in a local variable completely changes the behavior of the code.

To understand why this happens you need to know what $" actually does in C#. At first glance it looks like it is just converting the interpolated string into a normal String.Format call. But there is a little more to it.

The natural type of an $" expression is actually a subclass of FormattableString. This object contains the format string expression and all of values needed to populate it. When you pass this object to EF Core’s FromSql(FormattableString) method, it performs the necessary substitutions so that you get a parameterized SQL expression.

The problem is that the compiler doesn’t like working with FormattableString. Unless you directly assign it to a variable or parameter of that type, an $" expression will be immediately converted to a string. Normally this is a benign change, as you are going to want it in String format eventually.

Unfortunately, in the case of EF Core, you lose all of the interesting information that allows Entity Framework to parameterize your SQL. And with no compiler warnings or other hints that something went wrong, this kind of bug can easily creep into an application as developers attempt to “clean up” the code.

To see more examples of how mistakes in using string interpolation in EF Core can lead to SQL injections attacks, download Nick Craver’s EFCoreInjectionSample from GitHub or watch his presentation on ASP.NET monsters titled SQL Injection attacks in Entity Framework Core 2.0.

Rate this Article

Adoption Stage

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

var always causes dangerous problems! by Nima Niazmand

That's not string Interpolation fault, that's var fault. Using var always causes dangerous problems in code and makes code unreadable, According to c# coding style var should use only for IQueryable and linq!

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

1 Discuss

Login to InfoQ to interact with what matters most to you.

Recover your password...


Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.


More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.


Stay up-to-date

Set up your notifications and don't miss out on content that matters to you