Skip to content

Commit

Permalink
Correctly FromSqlRaw docs
Browse files Browse the repository at this point in the history 
Fixes #25567
  • Loading branch information
@roji
roji committed Aug 18, 2021
1 parent c35b1b2 commit 9c81842
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 16 deletions.
14 changes: 7 additions & 7 deletions src/EFCore.Relational/Extensions/RelationalDatabaseFacadeExtensions.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,7 @@ public static Task MigrateAsync(
/// </para>
/// <code>
/// var userSuppliedSearchTerm = ".NET";
/// context.Database.ExecuteSqlRaw("UPDATE [dbo].[SearchBlogs] SET [Rank] = 50 WHERE [Name] = {0}", userSuppliedSearchTerm);
/// context.Database.ExecuteSqlRaw("UPDATE Blogs SET Rank = 50 WHERE Name = {0}", userSuppliedSearchTerm);
/// </code>
/// <para>
/// However, <b>never</b> pass a concatenated or interpolated string (<c>$""</c>) with non-validated user-provided values
Expand Down Expand Up @@ -170,7 +170,7 @@ public static int ExecuteSqlRaw(
/// </para>
/// <code>
/// var userSuppliedSearchTerm = ".NET";
/// context.Database.ExecuteSqlInterpolated($"UPDATE [dbo].[SearchBlogs] SET [Rank] = 50 WHERE [Name] = {userSuppliedSearchTerm})");
/// context.Database.ExecuteSqlInterpolated($"UPDATE Blogs SET Rank = 50 WHERE Name = {userSuppliedSearchTerm})");
/// </code>
/// </summary>
/// <param name="databaseFacade"> The <see cref="DatabaseFacade" /> for the context. </param>
Expand Down Expand Up @@ -202,7 +202,7 @@ public static int ExecuteSqlInterpolated(
/// </para>
/// <code>
/// var userSuppliedSearchTerm = ".NET";
/// context.Database.ExecuteSqlRaw("UPDATE [dbo].[SearchBlogs] SET [Rank] = 50 WHERE [Name] = {0}", userSuppliedSearchTerm);
/// context.Database.ExecuteSqlRaw("UPDATE Blogs SET Rank = 50 WHERE Name = {0}", userSuppliedSearchTerm);
/// </code>
/// <para>
/// However, <b>never</b> pass a concatenated or interpolated string (<c>$""</c>) with non-validated user-provided values
Expand Down Expand Up @@ -273,7 +273,7 @@ public static int ExecuteSqlRaw(
/// </para>
/// <code>
/// var userSuppliedSearchTerm = ".NET";
/// context.Database.ExecuteSqlInterpolatedAsync($"UPDATE [dbo].[SearchBlogs] SET [Rank] = 50 WHERE [Name] = {userSuppliedSearchTerm})");
/// context.Database.ExecuteSqlInterpolatedAsync($"UPDATE Blogs SET Rank = 50 WHERE Name = {userSuppliedSearchTerm})");
/// </code>
/// </summary>
/// <param name="databaseFacade"> The <see cref="DatabaseFacade" /> for the context. </param>
Expand Down Expand Up @@ -305,7 +305,7 @@ public static Task<int> ExecuteSqlInterpolatedAsync(
/// </para>
/// <code>
/// var userSuppliedSearchTerm = ".NET";
/// context.Database.ExecuteSqlRawAsync("UPDATE [dbo].[SearchBlogs] SET [Rank] = 50 WHERE [Name] = {0}", userSuppliedSearchTerm);
/// context.Database.ExecuteSqlRawAsync("UPDATE Blogs SET Rank = 50 WHERE Name = {0}", userSuppliedSearchTerm);
/// </code>
/// <para>
/// <b>Never</b> pass a concatenated or interpolated string (<c>$""</c>) with non-validated user-provided values
Expand Down Expand Up @@ -346,7 +346,7 @@ public static Task<int> ExecuteSqlRawAsync(
/// </para>
/// <code>
/// var userSuppliedSearchTerm = ".NET";
/// context.Database.ExecuteSqlRawAsync("UPDATE [dbo].[SearchBlogs] SET [Rank] = 50 WHERE [Name] = {0}", userSuppliedSearchTerm);
/// context.Database.ExecuteSqlRawAsync("UPDATE Blogs SET Rank = 50 WHERE Name = {0}", userSuppliedSearchTerm);
/// </code>
/// <para>
/// However, <b>never</b> pass a concatenated or interpolated string (<c>$""</c>) with non-validated user-provided values
Expand Down Expand Up @@ -387,7 +387,7 @@ public static Task<int> ExecuteSqlRawAsync(
/// </para>
/// <code>
/// var userSuppliedSearchTerm = ".NET";
/// context.Database.ExecuteSqlRawAsync("UPDATE [dbo].[SearchBlogs] SET [Rank] = 50 WHERE [Name] = {0}", userSuppliedSearchTerm);
/// context.Database.ExecuteSqlRawAsync("UPDATE Blogs SET Rank = 50 WHERE Name = {0}", userSuppliedSearchTerm);
/// </code>
/// <para>
/// However, <b>never</b> pass a concatenated or interpolated string (<c>$""</c>) with non-validated user-provided values
Expand Down
18 changes: 9 additions & 9 deletions src/EFCore.Relational/Extensions/RelationalQueryableExtensions.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,24 +62,24 @@ public static DbCommand CreateDbCommand(this IQueryable source)
/// </para>
/// <para>
/// If the database provider supports composing on the supplied SQL, you can compose on top of the raw SQL query using
/// LINQ operators: <c>context.Blogs.FromSqlRaw("SELECT * FROM dbo.Blogs").OrderBy(b => b.Name)</c>.
/// LINQ operators: <c>context.Blogs.FromSqlRaw("SELECT * FROM Blogs").OrderBy(b => b.Name)</c>.
/// </para>
/// <para>
/// As with any API that accepts SQL it is important to parameterize any user input to protect against a SQL injection
/// attack. You can include parameter place holders in the SQL query string and then supply parameter values as additional
/// arguments. Any parameter values you supply will automatically be converted to a DbParameter:
/// arguments. Any parameter values you supply will automatically be converted to a <see cref="DbParameter" />:
/// </para>
/// <code>context.Blogs.FromSqlRaw("SELECT * FROM [dbo].[SearchBlogs]({0})", userSuppliedSearchTerm)</code>
/// <code>context.Blogs.FromSqlRaw("SELECT * FROM Blogs WHERE Name = {0}", userSuppliedSearchTerm)</code>
/// <para>
/// However, <b>never</b> pass a concatenated or interpolated string (<c>$""</c>) with non-validated user-provided values
/// into this method. Doing so may expose your application to SQL injection attacks. To use the interpolated string syntax,
/// consider using <see cref="FromSqlInterpolated{TEntity}" /> to create parameters.
/// </para>
/// <para>
/// This overload also accepts DbParameter instances as parameter values. This allows you to use named
/// parameters in the SQL query string:
/// This overload also accepts <see cref="DbParameter" /> instances as parameter values. In addition to using positional
/// placeholders as above (<c>{0}</c>), you can also use named placeholders directly in the SQL query string:
/// </para>
/// <code>context.Blogs.FromSqlRaw("SELECT * FROM [dbo].[SearchBlogs]({@searchTerm})", new SqlParameter("@searchTerm", userSuppliedSearchTerm))</code>
/// <code>context.Blogs.FromSqlRaw("SELECT * FROM Blogs WHERE Name = @searchTerm", new SqlParameter("@searchTerm", userSuppliedSearchTerm))</code>
/// </summary>
/// <typeparam name="TEntity"> The type of the elements of <paramref name="source" />. </typeparam>
/// <param name="source">
Expand Down Expand Up @@ -115,13 +115,13 @@ public static IQueryable<TEntity> FromSqlRaw<TEntity>(
/// If the database provider supports composing on the supplied SQL, you can compose on top of the raw SQL query using
/// LINQ operators:
/// </para>
/// <code>context.Blogs.FromSqlInterpolated($"SELECT * FROM dbo.Blogs").OrderBy(b => b.Name)</code>
/// <code>context.Blogs.FromSqlInterpolated($"SELECT * FROM Blogs").OrderBy(b => b.Name)</code>
/// <para>
/// As with any API that accepts SQL it is important to parameterize any user input to protect against a SQL injection
/// attack. You can include interpolated parameter place holders in the SQL query string. Any interpolated parameter values
/// you supply will automatically be converted to a DbParameter:
/// you supply will automatically be converted to a <see cref="DbParameter" />:
/// </para>
/// <code>context.Blogs.FromSqlInterpolated($"SELECT * FROM [dbo].[SearchBlogs]({userSuppliedSearchTerm})")</code>
/// <code>context.Blogs.FromSqlInterpolated($"SELECT * FROM Blogs WHERE Name = {userSuppliedSearchTerm}")</code>
/// </summary>
/// <typeparam name="TEntity"> The type of the elements of <paramref name="source" />. </typeparam>
/// <param name="source">
Expand Down

0 comments on commit 9c81842

Please sign in to comment.