Generating SQL from expression trees, Part 2

As promised, here is a much improved version of the where clause builder from my last post. This version generates parameterized queries so it isn’t vulnerable to SQL injection. Using parameters also allowed me to simply the logic since I don’t need to worry about stringifying the values or using “IS” instead of “=” for null checking.

I moved all the string concatenation into a separate class called WherePart. These objects are composable in a structure similar to the source expression tree. Extracting this class is my favorite part of the refactoring.

I’m still not happy with how I’m handling the LIKE queries. I have to pass a prefix and postfix parameter down to the next level of recursion which clutters up the method signature. It might be better to just build the string in place.