score:1

I can't seem to find such warning in EF Core documentation. And the (sort of) funny things is that the EF Core 2.1 query translator itself does not parameterize the generated SQL IN values clauses. Which can be seen if you replace the .FromSql line of your query with

.Where(x => artNum.Contains(x.Artikelnummer)

which btw is the LINQ to Entities equivalent of your query which translates and executes just fine, so I don't know why you bother with FromSql in this particular case.

But anyway, you can parameterize the FromSql query by including {0}, {1} etc. placeholders inside the sql string and pass values through params object[] parameters:

As with any API that accepts SQL it is important to parameterize any user input to protect against a SQL injection attack. You can include parameter place holders in the SQL query string and then supply parameter values as additional arguments. Any parameter values you supply will automatically be converted to a DbParameter

In your case it could be like this:

var placeholders = string.Join(",", atrNum.Select((v, i) => "{" + i + "}"));
var values = atrNum.Cast<object>().ToArray();

.FromSql("Select * from TABLE where Artikelnummer IN (" + placeholders + ")", values)

Related Articles