How do you like to form your queries? LINQ? Interpolation? Parameters? Let me know in the comments. Source code available at: github.com/JasperKent/.NET-8-SQL-Injection Remember to subscribe at kzbin.info/door/qWQzlUDdllnLmtgfSgYTCA And if you liked the video, click the 👍.

Excellent explanation of all the ways to send raw SQL. Best I've seen on the web. Thanks for taking the time to do this!

Completely agree with this. Personally I would be wary of using SqlQuery because although it is safe it looks unsafe. Hence when reading code in review or at the start of adding new features the developer is likely to pause at each use and ask "hmm is this safe?" which just slows the task at hand. Worse, as you point out, the developer might assume its safe but the those subtle 3 characters "Raw" are there. Another issue I have with the use of FormattableString is that it explodes what looks like a single parameter to multiple parameters. E.g you have a chunk of SQL that is a set of UNIONS and each makes use of the parameter, using SqlQuery results in multiple Db Parameters being passed instead of just a single one. Not really a big problem in most cases but I still find that a bit icky.

Ty

Hello, sorry for the inconvenience but could you show how to make a report in C# with the MVVM pattern (models, view, view models)?

Could you please elaborate a bit on the EF Core 8 features here - which exactly are they and how do they relate to SQL injections? SqlQueryRaw and FormattableString are not new to .NET 8, so I am a bit confused as to what you are referring to in the video. Thanks!

Which keyboard do you use can you please tell? Love the sound