Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News String Interpolation in Entity Framework Raises Concerns

String Interpolation in Entity Framework Raises Concerns

Leia em Português


One of the new features in Entity Framework Core 2 is the ability to automatically convert interpolated strings into parameterized SQL. Though designed to avoid problems with poorly written SQL, it is feared that it may actually lead to more SQL injection attacks.

Here is an example of string interpolation working correctly:

var city = "Redmond";
context.Customers.FromSql($"SELECT * FROM Customers WHERE City = {city}");
SELECT * FROM Customers WHERE City = @p0

And here is a slightly modified version that doesn’t work:

var city = "Redmond";
var sql = $"SELECT * FROM Customers WHERE City = {city}";
SELECT * FROM Customers WHERE City = Redmond

The simple act of storing an expression in a local variable completely changes the behavior of the code.

To understand why this happens you need to know what $" actually does in C#. At first glance it looks like it is just converting the interpolated string into a normal String.Format call. But there is a little more to it.

The natural type of an $" expression is actually a subclass of FormattableString. This object contains the format string expression and all of values needed to populate it. When you pass this object to EF Core’s FromSql(FormattableString) method, it performs the necessary substitutions so that you get a parameterized SQL expression.

The problem is that the compiler doesn’t like working with FormattableString. Unless you directly assign it to a variable or parameter of that type, an $" expression will be immediately converted to a string. Normally this is a benign change, as you are going to want it in String format eventually.

Unfortunately, in the case of EF Core, you lose all of the interesting information that allows Entity Framework to parameterize your SQL. And with no compiler warnings or other hints that something went wrong, this kind of bug can easily creep into an application as developers attempt to “clean up” the code.

To see more examples of how mistakes in using string interpolation in EF Core can lead to SQL injections attacks, download Nick Craver’s EFCoreInjectionSample from GitHub or watch his presentation on ASP.NET monsters titled SQL Injection attacks in Entity Framework Core 2.0.

Rate this Article


Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

  • var always causes dangerous problems!

    by Nima Niazmand,

    Your message is awaiting moderation. Thank you for participating in the discussion.

    That's not string Interpolation fault, that's var fault. Using var always causes dangerous problems in code and makes code unreadable, According to c# coding style var should use only for IQueryable and linq!

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p