Dynamic Column Updates in EF Core Without Hand-Rolling SQL Injection

Sometimes you genuinely need the set of columns to update to be data, not code. An operator maps...

lunedì 15 giugno 2026 New tab

674 words~3 min read

Sometimes you genuinely need the set of columns to update to be data, not code. An operator maps configuration fields to database columns, and you want to honor that mapping without redeploying every time it changes. The naive solution — build an UPDATE string from those column names — is also one of the easiest ways to hand-write a SQL injection vulnerability. This is how to get the flexibility without the hole.

We'll build it up in three layers: make it work, make it safe, then count the cost.

Layer 1: The dynamic update, the wrong way

The tempting version concatenates column names into SQL:

// DO NOT do this.

Dynamic Column Updates in EF Core Without Hand-Rolling SQL Injection

Dynamic Column Updates in EF Core Without Hand-Rolling SQL Injection

Related reading

How to use Cursor AI with Entity Framework Core (without blowing up your…

EF6 to EF Core: 5 query translations that quietly break in production

Don't mutate CommandText in an EF Core interceptor (a mistake I shipped)

Your Code is Your Schema: Weaviate Managed C# Client | Weaviate

How to AI Code: Your AI is editing your migration files

Stop Hand-Rolling Audit Logs in EF Core

Related reading

How to use Cursor AI with Entity Framework Core (without blowing up your…

EF6 to EF Core: 5 query translations that quietly break in production

Don't mutate CommandText in an EF Core interceptor (a mistake I shipped)

Your Code is Your Schema: Weaviate Managed C# Client | Weaviate

How to AI Code: Your AI is editing your migration files

Stop Hand-Rolling Audit Logs in EF Core