ADRNV · ADRNV · Dec 21, 2025 · Oct 17, 2025 · Oct 17, 2025 · Dec 21, 2025
diff --git a/QMap.SqlBuilder.Tests/SqlBuilderParseTests.cs b/QMap.SqlBuilder.Tests/SqlBuilderParseTests.cs
@@ -84,7 +84,7 @@ public void FullSqlInsertBuildWitoutSyntaxErrosInAllParsers()
                  .Create<TypesTestEntity>();
 
             var sql = queryBuilder
-                .BuildInsert(connectionFake, out var _, entity, (p) => p.Name == "Id");
+                .BuildInsert(connectionFake, out var _, entity, (p) => p.Id);
 
             _parsers.ToList().ForEach(p =>
             {
@@ -151,7 +151,7 @@ public void BuildDeleteNoThrowsErrors()
             StatementsBuilders queryBuilder = new StatementsBuilders(new SqlDialectBase());
 
             var sql = queryBuilder
-                .Delete<TypesTestEntity>()
+                .Delete<TypesTestEntity>(out var _)
                 .From(typeof(TypesTestEntity))
                 .Build();
         }
@@ -165,7 +165,7 @@ public void BuildDeleteThrowInvalidOperationException()
                 StatementsBuilders queryBuilder = new StatementsBuilders(new SqlDialectBase());
 
                 var sql = queryBuilder
-                    .Delete<TypesTestEntity>()
+                    .Delete<TypesTestEntity>(out var _)
                     .Build();
             });
         }
@@ -177,7 +177,7 @@ public void DeleteSqlBuidWitoutSyntaxErrosInAllParsers()
             StatementsBuilders queryBuilder = new(new TSqlDialect());
 
             var sql = queryBuilder
-            .Delete<TypesTestEntity>()
+            .Delete<TypesTestEntity>(out var _)
                 .From(typeof(TypesTestEntity))
                 .Build();
 
@@ -196,7 +196,7 @@ public void DeleteFullSqlBuidWitoutSyntaxErrosInAllParsers()
             StatementsBuilders queryBuilder = new(new SqlDialectBase());
 
             var sql = queryBuilder
-                .Delete<TypesTestEntity>()
+                .Delete<TypesTestEntity>(out var _)
                 .From(typeof(TypesTestEntity))
                 .Where<TypesTestEntity>((TypesTestEntity t) => t.Id < 0, out var parameters)
                 .Build();

diff --git a/QMap.SqlBuilder/Abstractions/IInsertBuilder.cs b/QMap.SqlBuilder/Abstractions/IInsertBuilder.cs
@@ -1,10 +1,11 @@
-using System.Reflection;
+using System.Linq.Expressions;
+using System.Reflection;
 
 namespace QMap.SqlBuilder.Abstractions
 {
     public interface IInsertBuilder : IQueryBuilder
     {
         IInsertBuilder BuildInsert<T>(T entity);
-        public IInsertBuilder BuildInsertExcept<T>(T entity, Func<PropertyInfo, bool> exceptPropsFilter);
+        public IInsertBuilder BuildInsertExcept<T, TProperty>(T entity, Expression<Func<T, TProperty>> exceptPropsFilter);
     }
 }
diff --git a/QMap.SqlBuilder/QueryBuilderExtensions.cs b/QMap.SqlBuilder/QueryBuilderExtensions.cs
@@ -55,21 +55,25 @@ public static IUpdateBuilder Update<T, V>(this IQueryBuilder queryBuilder, IQMap
             return builder;
         }
 
-        public static IDeleteBuilder Delete<T>(this IQueryBuilder queryBuilder)
+        public static IDeleteBuilder Delete<T>(this IQueryBuilder queryBuilder, out Dictionary<string, object> parameters)
         {
-            return new DeleteBuilder(queryBuilder.SqlDialect)
+            var builder = new DeleteBuilder(queryBuilder.SqlDialect)
                 .BuildDelete<T>();
+
+            parameters = builder.Parameters;
+
+            return builder;
         }
 
         public static string Build(this IQueryBuilder queryBuilder)
         {
             return queryBuilder.Build();
         }
 
-        public static string BuildInsert<T>(this IQueryBuilder queryBuilder, IQMapConnection connection, out Dictionary<string, object> parameters, T entity, Func<PropertyInfo, bool> exceptProperty)
+        public static string BuildInsert<T, TProperty>(this IQueryBuilder queryBuilder, IQMapConnection connection, out Dictionary<string, object> parameters, T entity, Expression<Func<T, TProperty>> exceptProp)
         {
             var builder = new InsertBuilder(queryBuilder.SqlDialect)
-                .BuildInsertExcept(entity, exceptProperty);
+                .BuildInsertExcept(entity, exceptProp);
 
             parameters = builder.Parameters;
 

diff --git a/QMap.SqlBuilder/StatementsBuilders.cs b/QMap.SqlBuilder/StatementsBuilders.cs
@@ -56,7 +56,7 @@
        {
        }

        public string Sql
        {
            get => _sql;

@@ -78,7 +78,7 @@
            return this;
        }

        public string Build()
        {
            throw new InvalidOperationException();
        }
@@ -109,14 +109,16 @@
 
         public IFromBuilder BuildFrom(ISelectBuilder quryBuilder, Type entity, params Type[] entities)
         {
-            this.Sql += $"{quryBuilder.Sql}" + $" from {entity.Name} " + _aliases.GetOrAdd(entity.Name, (ak) => NameToAlias(entity.Name));
+            this.Sql += FormattableStringFactory
+                .Create("{0} from {1} {2}", quryBuilder.Sql, entity.Name, _aliases.GetOrAdd(entity.Name, (ak) => NameToAlias(entity.Name)));
 
             return this;
         }
 
         public IFromBuilder BuildFrom(IDeleteBuilder quryBuilder, Type entity, params Type[] entities)
         {
-            this.Sql += $"{quryBuilder.Sql}" + $" from {entity.Name} ";
+            this.Sql += FormattableStringFactory
+                .Create("{0} from {1}", quryBuilder.Sql, entity.Name);
 
             return this;
         }
@@ -203,6 +205,7 @@
 
     public class InsertBuilder : StatementsBuilders, IInsertBuilder
     {
+        private IEnumerable<PropertyInfo> _properties;
         public InsertBuilder(ISqlDialect sqlDialect) : base(sqlDialect)
         {
         }
@@ -226,11 +229,19 @@
             return this;
         }
 
-        public IInsertBuilder BuildInsertExcept<T>(T entity, Func<PropertyInfo, bool> exceptPropsFilter)
+        public IInsertBuilder BuildInsertExcept<T, TProperty>(T entity, Expression<Func<T, TProperty>> exceptProp)
         {
-            var columns = BuildColumns<T>(exceptPropsFilter);
+            MemberInfo? excludedMember = null;
+
+            if(exceptProp.Body is MemberExpression member)
+            {
+                excludedMember = member.Member;
+            }
+
+            var columns = BuildColumns<T>(excludedMember);
             var values = BuildValues(entity, columns);
 
+
             Sql = $"insert into {typeof(T).Name} " +
                 $"({columns.Aggregate((c1, c2) => $"{c1},{c2}")})"
                 + "values"
@@ -239,35 +250,35 @@
             return this;
         }
 
-        private IEnumerable<string> BuildColumns<T>(Func<PropertyInfo, bool>? exceptPropsFilter = null)
+        private IEnumerable<string> BuildColumns<T>(MemberInfo? exceptProp = null)
         {
-            var properties = typeof(T)
+             _properties = typeof(T)
                   .GetProperties(BindingFlags.Public
                      | BindingFlags.GetProperty
                      | BindingFlags.SetProperty
                      | BindingFlags.Instance)
                   .AsEnumerable();
 
-            if (exceptPropsFilter != null)
+            if (exceptProp != null)
             {
-                properties = properties.Where(p => !exceptPropsFilter.Invoke(p));
+                _properties = _properties.Where(p => p.Name != exceptProp.Name);
             }
 
-            return properties
+            return _properties
                  .Select(p => p.Name);
         }
 
         private IEnumerable<string> BuildValues<T>(T entity, IEnumerable<string> columns)
         {
-            var properties = typeof(T)
+            _properties = typeof(T)
                   .GetProperties(BindingFlags.Public
                      | BindingFlags.GetProperty
                      | BindingFlags.SetProperty
                      | BindingFlags.Instance)
                   .AsEnumerable();
 
 #nullable disable
-            return properties
+            return _properties
                 .Where(p => columns.Contains(p.Name))
                 .Select(p =>
                 {
@@ -311,8 +322,6 @@
         {
         }
 
-        public Dictionary<string, object> Parameters => throw new NotImplementedException();
-
         private Type _entity = null;
 
         public string Build()

diff --git a/QMap.Tests/QMapConnectionExtensionTests.cs b/QMap.Tests/QMapConnectionExtensionTests.cs
@@ -229,8 +229,7 @@ public void InsertWithoutPropertyExecutesWithoutErrors()
 
                 connection.Open();
 
-                connection.Insert(entity, p => p.Name == "Id");
-
+                connection.Insert(entity, p => p.Id);
                 connection.Close();
 
                 context.Database.EnsureDeleted();
@@ -496,5 +495,34 @@ public void Update_Should_Not_Pass_Drop_Statemant_When_Injection_In_Where()
                 context.TypesTestEntity.Count();
             });
         }
+
+        [Fact]
+        public void Delete_Should_Not_Pass_Drop_Statemant_When_Injection_In_Where()
+        {
+            var builder = new StatementsBuilders(new SqlDialectBase());
+
+            _connectionFactories.ForEach(c =>
+            {
+
+                var context = c.GetDbContext<TestContext>();
+
+                context.Database.EnsureCreated();
+
+                using var connection = c.Create();
+
+                connection.Open();
+
+                var entity = new Fixture()
+                .Build<TypesTestEntity>()
+                .Without(t => t.Id)
+                .Create();
+
+                context.TypesTestEntity.Add(entity);
+                context.SaveChanges();
+                connection.Delete<TypesTestEntity>((TypesTestEntity t) => t.StringField != "\'DROP TABLE TypesTestEntity;--");
+
+                context.TypesTestEntity.Count();
+            });
+        }
     }
 }
diff --git a/QMap/QMapConnectionExtension.cs b/QMap/QMapConnectionExtension.cs
@@ -6,6 +6,7 @@
 using System.Data;
 using System.Linq.Expressions;
 using System.Reflection;
+using System.Runtime.CompilerServices;
 
 namespace QMap
 {
@@ -34,6 +35,30 @@ public static class QMapConnectionExtension
             return queryMapper.Map<T>(command.ExecuteReader());
         }
 
+        /// <summary>
+        /// Execute query and map to <typeparamref name="T"/>
+        /// </summary>
+        /// <typeparam name="T"></typeparam>
+        /// <param name="connection">Connection</param>
+        /// <param name="sql">Qery text</param>
+        /// <param name="customMapper">Custom mapper if required, else uses base implementation"/></param>
+        /// <returns></returns>
+        public static IEnumerable<T> Query<T>(this IQMapConnection connection, string sql, object[] parameters, IEntityMapper? customMapper = null) where T : class, new()
+        {
+            var mapper = _mappersCache.GetOrAdd(typeof(T),
+                (customMapper is null ? new EntityMapper() : customMapper));
+
+            var queryMapper = new QueryMapperBase(mapper);
+
+            var parametrizedString = FormattableStringFactory.Create(sql, parameters);
+
+            var command = connection.CreateCommand();
+
+            command.CommandText = parametrizedString.ToString();
+
+            return queryMapper.Map<T>(command.ExecuteReader());
+        }
+
         public static IEnumerable<T> Where<T>(this IQMapConnection connection, LambdaExpression predicate, IEntityMapper? customMapper = null) where T : class, new()
         {
             var mapper = _mappersCache.GetOrAdd(typeof(T),
@@ -55,7 +80,7 @@ public static class QMapConnectionExtension
             return queryMapper.Map<T>(command.ExecuteReader());
         }
 
-        public static void Insert<T>(this IQMapConnection connection, T entity, Func<PropertyInfo, bool> exceptProperty)
+        public static void Insert<T, TProperty>(this IQMapConnection connection, T entity, Expression<Func<T, TProperty>> exceptProperty)
         {
             var command = connection.CreateCommand();
             var sql = new StatementsBuilders(connection.Dialect)
@@ -103,13 +128,17 @@ public static void Insert<T>(this IQMapConnection connection, T entity)
         {
             var command = connection.CreateCommand();
             var sql = new StatementsBuilders(connection.Dialect)
-                .Delete<T>()
+                .Delete<T>(out var parameters)
                 .From(typeof(T))
-                .Where<T>(predicate, out var parameters)
+                .Where<T>(predicate, out var parameters1)
                 .Build();
 
+            var allParameters = parameters.AsEnumerable().Concat(parameters1).ToDictionary((p) => p.Key, (p) => p.Value);
+
             command.CommandText = sql;
 
+            connection.Dialect.BuildParameters(command, allParameters);
+
             command.ExecuteNonQuery();
         }
     }