I execute a string query using EF 4: string query = SELECT * FROM

Question

0

Asked: May 29, 20262026-05-29T20:45:52+00:00 2026-05-29T20:45:52+00:00

I execute a string query using EF 4: string query = SELECT * FROM

0

I execute a string query using EF 4:

string query = "SELECT * FROM Table WHERE ....";

  [+ build WHERE clausule based on the user's input values]

 db.ExecuteStoreQuery<TAble>(query).ToList();

I’m wondering how to prevent that query from SQL Injection in taht WHERE clausule. Any ideas ?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-29T20:45:53+00:00

You need to use a parameterized query:

// Build where clause
var filters = new StringBuilder();
var parameters = new List<object>();
if (!string.IsNullOrEmpty(name))
{
    if (filters.Length > 0)
        filters.Append(" AND ");
    filters.Append("name = @name");
    var param = new SqlParameter("@name", SqlDbType.NVarChar);
    param.Value = name;
    parameters.Add(param);
}
...


// Build query
string query = "SELECT * FROM Table";
if (filters.Length > 0)
    query = query + " WHERE " + filters;

// Execute
db.ExecuteStoreQuery<TAble>(query, parameters.ToArray()).ToList();

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I execute a string query using EF 4: string query = SELECT * FROM

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply