0

I've started a Blazor Web Assembly Project that makes use of Radzen components. I'm trying to create a search through my API, and I would like to use a combination of their DataGrid and new DataFilter components to do so. It looks like the best way I can do this is by tapping into the DataFilter's ViewChanged event callback, within which I can access an IQueryable.

So if I were to filter Person data by name and print out the resultant IQueryable in this callback, I get something like this:

TheMill.Shared.Models.Mill.Person[].Where(Param_0 => (IIF((Param_0.DisplayName1 == null), "", Param_0.DisplayName1) == "Ben"))

Is it possible to send this string to my API endpoint, run the query, and return the Person records that match? I'm hoping I'm headed in the right direction by looking into the ParseLambda function from Dynamic LINQ.

Minnon
  • 1
  • 1
    It's probably possible but why would you want to? All the API enpoint needs to return the correct results is the name, right? So why not just send that? – Xerillio Oct 04 '22 at 15:35
  • 1
    Unless you're really careful, allowing a client so send an executable string (a string that can be translated into doing something in your database) is an easy way to introduce an [SQL injection vulnerability](https://bobby-tables.com/) in your code. – Xerillio Oct 04 '22 at 15:43
  • @Xerillio: Since they're talking about translating the query to an IQueryable, which would presumably be executed by Entity Framework, the risk is not so much SQL injection as C# injection (depending on how the parsing gets implemented). – StriplingWarrior Oct 04 '22 at 15:56
  • @StriplingWarrior If the purpose is to pass the string directly to EF and translate it to a query, then there's no C# code being generated from the string. But in any case, the resulting issue is that arbitrary code can be executed on the database, so I'd definitely still say there's an SQL injection vulnerability (if we imagine it's an SQL DB) – Xerillio Oct 04 '22 at 16:24

1 Answers1

1

The approach you're describing is fraught. The .ToString() representation of IQueryables is not designed to be parsed back into a query. It is not guaranteed to contain all the information you need in your query (for example, if you use a closed-over variable in your your lambda instead of a hard-coded string), and it can change from one version of .NET Framework to the next.

Instead, I'd recommend looking into something like OData, which is a standards-based way of creating a query string that can be translated into an Entity Framework query. In fact, Radzen's Blazor DataGrid natively supports OData bindings.

StriplingWarrior
  • 151,543
  • 27
  • 246
  • 315