Generated sql query not sanitizing alias names

[kichalla]

In my user administration pages, I was trying to sort users by registered date and I was doing the following:

[HttpGet]
public IActionResult Index()
{
    var model = _userManager.Users.OrderByDescending(user => user.RegisteredDate);

    return View(model);
}

The above resulted in a sql query like (from SQL profiler):

SELECT user.[About], user.[AccessFailedCount], user.[Email], user.[EmailConfirmed], user.[Id], user.[LockoutEnabled], user.[LockoutEnd], user.[Name], user.[NormalizedUserName], user.[PasswordHash], user.[PhoneNumber], user.[PhoneNumberConfirmed], user.[RegisteredDate], user.[SecurityStamp], user.[TwoFactorEnabled], user.[UserName]
FROM [AspNetUsers] AS user
ORDER BY user.[RegisteredDate] DESC

Since user is a reserved word, this resulted in the following exception..after later changing user to something like appUser, it started working fine:

Microsoft.Data.Entity.Storage.DataStoreException: An error occured while running a data store operation. See InnerException for details. ---> System.Data.SqlClient.SqlException: Incorrect syntax near the keyword 'user'.
 at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
 at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
 at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
 at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
 at System.Data.SqlClient.SqlDataReader.TryConsumeMetaData()
 at System.Data.SqlClient.SqlDataReader.get_MetaData()
 at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)
 at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async, Int32 timeout, Task& task, Boolean asyncWrite, SqlDataReader ds)
 at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, TaskCompletionSource`1 completion, Int32 timeout, Task& task, Boolean asyncWrite)
 at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)
 at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)
 at System.Data.SqlClient.SqlCommand.ExecuteDbDataReader(CommandBehavior behavior)
 at System.Data.Common.DbCommand.ExecuteReader()
 at Microsoft.Data.Entity.Relational.Query.QueryMethodProvider.Enumerable`1.Enumerator.MoveNext()
 at System.Linq.Enumerable.<SelectManyIterator>d__14`2.MoveNext()
 at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
 at Microsoft.Data.Entity.Query.EntityQueryExecutor.EnumerableExceptionInterceptor`1.EnumeratorExceptionInterceptor.MoveNext()
 --- End of inner exception stack trace ---
 at Microsoft.Data.Entity.Query.EntityQueryExecutor.EnumerableExceptionInterceptor`1.EnumeratorExceptionInterceptor.MoveNext()

Should we always sanitize the alias names that we generate..like in this case say [user]?

[maumar]

Fixed in 5a48b4c