SqlQuery docs state to use parameter placeholders and supply additional parameters as arguments, but that's not the case for .SqlQuery

[BrettBloomerang]

Type of issue

Outdated article

Description

With current EFCore 9 (and I believe since 7?) the .SqlQuery method does not accept any arguments except for the query itself. I believe it's supposed to function like .FromSql, where interpolated strings are automatically parameterized, hence the existence of .SqlQueryRaw.

Either the documentation is outdated/incorrect, or this code is going to cause sql injection attacks to become more prevalent.

Page URL

https://learn.microsoft.com/en-us/dotnet/api/microsoft.entityframeworkcore.relationaldatabasefacadeextensions.sqlquery?view=efcore-9.0

Content source URL

https://github.com/dotnet/EntityFramework.ApiDocs/blob/live/dotnet/xml/Microsoft.EntityFrameworkCore/RelationalDatabaseFacadeExtensions.xml

Document Version Independent Id

731055e2-2c41-b2bf-4d08-8d06cd1d6cc5

Article author

@dotnet-bot

[roji]

the .SqlQuery method does not accept any arguments except for the query itself.

SqlQuery() allows safe interpolation with parameterization, just like FromSql does:

var id = 8;
var names = await context.Database
    .SqlQuery<int>($"SELECT [Name] AS [Value] FROM [Blogs] WHERE [Id] > {id}")
    .ToListAsync();

Am I missing something?

[BrettBloomerang]

@roji You and I agree on that. The documentation says otherwise, though. From the doc page:

You can include parameter place holders in the SQL query string and then supply parameter values as additional arguments. Any parameter values you supply will automatically be converted to a DbParameter.

^That piece of the "remarks" section is untrue.