Which code segment should you use?

You are developing a new feature that displays an auto-complete list to users as the type color names. You have an
existing ContosoEntities context object named contex.

To support the new feature you must develop code that will accept a string object named text containing a user’s
partial input and will query the Colors database table to retrieve all color names that begin with that input.

You need to create an Entity SQL (ESQL) query to meet the requirement.
The query must not be vulnerable to a SQL injection attack. Which code segment should you use?

You are developing a new feature that displays an auto-complete list to users as the type color names. You have an
existing ContosoEntities context object named contex.

To support the new feature you must develop code that will accept a string object named text containing a user’s
partial input and will query the Colors database table to retrieve all color names that begin with that input.

You need to create an Entity SQL (ESQL) query to meet the requirement.
The query must not be vulnerable to a SQL injection attack. Which code segment should you use?

A.
var parameter = new ObjectParameter(“text”, text + “%”);
var result = context.CreateQuery<string>(
“SELECT VALUE (c.Name) FROM Colors AS c WHERE c.Name LIKE ‘@text'”, parameter);

B.
var parameter = new ObjectParameter(“text”, text + “%”);
var result = context.CreateQuery<string>(
“SELECT VALUE (c.Name) FROM Colors AS c WHERE c.Name LIKE @text”, parameter);

C.
var parameter = new ObjectParameter(“text”, text + “%”);
var result = context.CreateQuery<string>(
“SELECT (c.Name) FROM Colors AS c WHERE c.Name LIKE @text”, parameter);

D.
var parameter = new ObjectParameter(“text”, HttpUtility.HtmlEncode(text) + “%”);
var result = context.CreateQuery<string>(
“SELECT (c.Name) FROM Colors AS c WHERE c.Name LIKE ‘@text’@, parameter);

Explanation:
Entity SQL supports two variants of the SELECT clause. The first variant, row select, is identified by the SELECT keyword, and can be used to specify one or more values that should be projected out.
Because a row wrapper is implicitly added around the values returned, the result of the query expression is always a multiset of rows.
Each query expression in a row select must specify an alias. If no alias is specified,Entity SQL attempts to generate an alias by using the alias generation rules.
The other variant of the SELECT clause, value select, is identified by the SELECT VALUE keyword. It allows only one value to be specified, and does not add a row wrapper.
A row select is always expressible in terms of VALUE SELECT, as illustrated in the following example.

ESQL Select
(http://msdn.microsoft.com/en-us/library/bb399554.aspx)

Show Hint

Leave a Reply 0

Your email address will not be published. Required fields are marked *