I wrote a simple SQL query builder based on string interpolation. It was inpired by ScalikeJDBC and fixes gap between query paramert definition and it value assigment.
There how you code may looks like:
This C# code transforms to sql code:
and a set of IDbParameters filled with specified values.
Git repository: https://github.com/volkovku/FunnyDB
I think it’d be good to explain what the p function is doing. Is it constructing a SqlParameter to prevent injection?
Did you consider using FormattableString to avoid requiring the user to call the p function so much?
This is how Entity Framework does it, and it’s a pattern I’ve stolen when writing cosmos queries. As long as you don’t mind not supporting placeholders with format parameters, the implementation is pretty trivial.
At first glance I thought it looks a bit risky, as if you used a non-interpolating query function, you’d have a vulnerability – but I think as long as the function name states it’s using interpolated strings and you understand what FormattableString is doing, it’s fine.
Did you consider using FormattableString
I’m never seen this feature early. But it’s looks pretty cool. I will try to adopt it possible.
Seems unsafe, open to easy attacks
No. It’s doesn’t allow sql injections. Because p(value) translates to IDbParameter and it placeholder like @p_1_.
For example query like:
will be:
You can find examples of query results it in tests: https://github.com/volkovku/FunnyDB/blob/master/FunnyDB.Test/SqlQueryTests.cs
C# devs
null reference exceptions