Consolidate C#, .NET, and ASP pages into single .NET page (with or without subpages)

[zspitz]

The information for avoiding SQL injection in .NET is currently fragmented over 3 different pages: C#, .NET, and ASP. It should really be consolidated into a single page (with or without subpages as appropriate), and should be structured as follows:

• Direct ADO.NET
  • Using the base classes in System.Data.Common
  • Built-in providers
    • SQL Server
    • OLE DB
    • ODBC
  • Third-party providers
    • Oracle
    • Postgresql
    • MySQL
    • SQLite
• Entity Framework Core ?
• EF 6
  • ExecuteSQLCommand and ExecuteSQLCommandSync methods
  • SqlQuery method
• Dapper
• Additional ORMs

This information is the same for any .NET language -- C#, VB.NET, F#, IronPython -- and for every .NET programming environment -- ASP.NET, WPF, console application, WinForms. At best it might be good to have examples for various languages on each subsection.

One important note: some providers support named parameters (e.g. the SQL Server provider); some providers support position parameters (e.g. the OLE DB provider).

[petdance]

That sounds great. I'll need someone who's not me to write it, since I don't know anything about the Windows ecosystem. If you're interested in doing so, please comment on this ticket.

[zspitz]

@petdace I am interested in writing this; I've already written something similar.

I'm just worried that this is too much information to fit on a single page. Do you agree? Or is there some facility for sub-pages?

[petdance]

I'm not sure if that will be necessary or not. Once you write it up, and I format it and massage it into Markdown and see how it looks, then we can figure out if it's too much.

The formatting is the least of my concerns. What's most important to me is that we get someone knowledgeable who understands the topic that can write it up.

[zspitz]

@petdance I've finally gotten to this, and have a first draft. Some points:

• ADO.NET is automatically rendered as a hyperlink, which I've hacked around by writing ADO<i></i>.NET. Is this acceptable?
• I've setup two pages: adodotnet.md for direct ADO.NET, and adodotnet_orm.md for ORMs built on top of ADO.NET such as Entity Framework and Dapper.
• This is still very much a work in progress; should I create a pull request, or should I wait until it's more complete?

If you could take a look and make sure that I'm going in the right direction, I would appreciate it very much.

[petdance]

Will do. At a conference this week but I will look at it ASAP. Thanks!

[petdance]

ADO.NET is automatically rendered as a hyperlink, which I've hacked around by writing ADO.NET. Is this acceptable?

Better to just make the cranker just ignore uppercase URL-like things.

Holy cats, that page is great. More detail than anything I've put together. Thank you.

Two quick things. First, please remove the TL;DR heading. The summary doesn't need to be labeled as such.

Also, please put a chunk of code in that summary, if you can whittle an example down to a line or three. The code that you supply is a big part of the value of reading that page, and putting some code up top will encourage the reader to read on to see more code.

If you could take a look and make sure that I'm going in the right direction, I would appreciate it very much.

Yes, yes, beautiful, yes. Thank you.

[zspitz]

Thanks for your input. I've removed the heading and put up an example. It's not a complete example of accessing data, but only the necessary steps needed to avoid SQL injection.

More detail than anything I've put together.

I only hope it's not too much detail. Most of the information is there to hammer home this:

The shared architecture across providers means that there is a single common strategy for avoiding SQL injection for all data providers, in all .NET languages.

[petdance]

Can this be closed now?

[zspitz]

Can this be closed now?

I think so. We've reached the goals outlined in the first post of the issue.