I am using Microsoft.Azure.DocumentDB.Core version 2.1.1 library in .NET application to query data from Cosmos DB.
Below is a code that I am using to query the data from Cosmos DB:
var query = predicate == null
? docClient.CreateDocumentQuery<T>(CollectionUri, new FeedOptions {..... }).AsDocumentQuery()
: docClient.CreateDocumentQuery<T>(CollectionUri, new FeedOptions { .....}).Where(predicate).AsDocumentQuery();
From the above code my question is, using predicate in query will be SQL injection safe?
It will indeed be safe.
The SDK is using an internal LINQ to CosmosDB SQL converter which will just convert the LINQ to a query which is a single string. The SDK will use internal classes like SqlSelectClause
, SqlWhereClause
etc to contract a safe final result.
You can also see the exact query that your LINQ creates by using query.ToString()
.