One of the new features in Entity Framework Core 2 is the ability to automatically convert interpolated strings into parameterized SQL. Though designed to avoid problems with poorly written SQL, it is feared that it may actually lead to more SQL injection attacks.

Here is an example of string interpolation working correctly:

var city = "Redmond"; context.Customers.FromSql($"SELECT * FROM Customers WHERE City = {city}"); SELECT * FROM Customers WHERE City = @p0

And here is a slightly modified version that doesn’t work:

var city = "Redmond"; var sql = $"SELECT * FROM Customers WHERE City = {city}"; context.Customers.FromSql(sql); SELECT * FROM Customers WHERE City = Redmond

The simple act of storing an expression in a local variable completely changes the behavior of the code.

To understand why this happens you need to know what $" actually does in C#. At first glance it looks like it is just converting the interpolated string into a normal String.Format call. But there is a little more to it.

The natural type of an $" expression is actually a subclass of FormattableString. This object contains the format string expression and all of values needed to populate it. When you pass this object to EF Core’s FromSql(FormattableString) method, it performs the necessary substitutions so that you get a parameterized SQL expression.

The problem is that the compiler doesn’t like working with FormattableString. Unless you directly assign it to a variable or parameter of that type, an $" expression will be immediately converted to a string. Normally this is a benign change, as you are going to want it in String format eventually.

Unfortunately, in the case of EF Core, you lose all of the interesting information that allows Entity Framework to parameterize your SQL. And with no compiler warnings or other hints that something went wrong, this kind of bug can easily creep into an application as developers attempt to “clean up” the code.

To see more examples of how mistakes in using string interpolation in EF Core can lead to SQL injections attacks, download Nick Craver’s EFCoreInjectionSample from GitHub or watch his presentation on ASP.NET monsters titled SQL Injection attacks in Entity Framework Core 2.0.