Home > Mobile >  Insertion using ExecuteSqlRaw() method with submitted form values in entity framework
Insertion using ExecuteSqlRaw() method with submitted form values in entity framework

Time:10-25

Raw query insertion is working fine with hard codded values but I need to populate submitted form values in ExecuteSqlRaw() method.

 _context
.Database
.ExecuteSqlRaw("INSERT INTO Staff([StaffFirstName],[StaffLastName],[StaffPhoto], 
   [StaffDesignation],[StaffDepartment],[StaffBio]) 
   VALUES('1','2','3' ...)");

I tried interpolation syntax, but not working enter image description here

CodePudding user response:

Why not use the built in addition function in Entity Framework? The way you are trying to insert the data opens the door for SQL Injection attacks

If you want to write sql to insert your data I would recommend dapper

_context.Staff.Add(staff)

CodePudding user response:

Technically to make it work as is, you just omitted the $""...

BUT, as @averybusinesssolutions says and as stated in the documentation:

never pass a concatenated or interpolated string ($"") with non-validated user-provided values

This exposes you to one of the most widespread attacks: the SQL injection attack.

Just read the doc and you will have the solution. Using:

ExecuteSqlRaw("INSERT INTO Staff(...) VALUE({0}...", StaffFirstName...);

instead of

ExecuteSqlRaw(@"INSERT INTO Staff(...) VALUE('{StaffFirstName}'...");

should work and will be safe against injections attacks.

Page link:https//www.codepudding.com/Mobile/586919.html

Prev:How to perform matching of markers from two images which are taken from different perspective?
Next:Can't find the first element of a dict
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding