The Entity Framework includes an ORM to perform database queries.
public User GetUser(string username)
{
return _context.Users.Where(x => x.UserName == username).FirstOrDefault();
}
If the developer for some reason decides to use raw SQL, then the developer can protect from SQL injection by using parameterized queries.
public User GetUserRawParameterized(string username)
{
return _context.Users.FromSqlRaw("SELECT * FROM Users WHERE username = {0}", username).FirstOrDefault();
}
If the developer for some reason decides to not use the ORM or parameterized queries, then the application may be vulnerable to SQL injection.
public User GetUserRaw(string username)
{
var query = "SELECT * FROM Users WHERE username = '" + username + "'";
return _context.Users.FromSqlRaw(query).FirstOrDefault();
}