1

I am making a dynamic query for document db with the following

 var i = saList[index];
 engagementFilter.Append($"f.keys.SelectedEngagementId  = {i}");

this produces query as

(f.keys.SelectedEngagementId = f9721f2e-144d-40b9-b530-fcf067cab682 OR f.keys.SelectedEngagementId = f55dd402-9975-4c55-8486-6cb9c6330a66)

but i need quotes around the guid, how can i do that?

(f.keys.SelectedEngagementId = "f9721f2e-144d-40b9-b530-fcf067cab682" OR f.keys.SelectedEngagementId = "f55dd402-9975-4c55-8486-6cb9c6330a66")

  • Can't you escape the double quotes and add them like `\"{i}\"` ? – Paul Karam Jan 12 '18 at 07:43
  • 1
    Sorry Peter, I voted to reopen since this is for databases. There is more than just a simple escaping on most platforms (like parameterized queries). – Patrick Hofman Jan 12 '18 at 07:46
  • @PatrickHofman: all due respect, it is inappropriate for you to have done that. The question is clearly about escaping quotes, whether or not you think the OP needs different information. And, if you really believed that this needs an answer about parameterized queries, there are plenty of duplicates on Stack Overflow with _those_ kinds of answers. This question is poorly researched, and does not need or deserve any answers. – Peter Duniho Jan 12 '18 at 07:49
  • I am not sure if there is an answer specific for Cosmos DB, but you are right, there are enough general answers that cover that. If you have a good one, I will be happy to close it. @PeterDuniho – Patrick Hofman Jan 12 '18 at 07:51
  • @PatrickHofman: as far as I'm concerned, the fact that the answer which is exactly a duplicate of the one I'd originally used to close the question is both the highest-voted and accepted is proof enough that the original duplicate was most appropriate. There are others that include answers which attempt to redirect people risking query injection, such as https://stackoverflow.com/questions/25015520/double-double-quotes-in-the-string, but that's best left to comments, not answers that don't actually address the specific question asked. – Peter Duniho Jan 12 '18 at 22:23

3 Answers3

5

You could try to add them and escape them using the \:

engagementFilter.Append($"f.keys.SelectedEngagementId  = \"{i}\"");
Christos
  • 53,228
  • 8
  • 76
  • 108
2

You should use parameterized queries instead. This will protect you against SQL injection and will improve query parsing in the database.

engagementFilter.Append($"f.keys.SelectedEngagementId  = @i{position}");

Where you add @i0 and so on to your parameters.

Read more on parameterized queries here in the documentation (section Parameterized SQL queries).

Patrick Hofman
  • 153,850
  • 22
  • 249
  • 325
1

"f.keys.SelectedEngagementId = \"{i}\"" or @"f.keys.SelectedEngagementId = ""{i}"""

john doe
  • 118
  • 6