When using the SQL extension method, we are using parameters to pass the values to the query. This ensures, that one can not inject unwanted sql. If you then also use a constant to define your sql to be used within the SQL extension method, you are on the safe side. And we check that the actual SQL that we try to produce comes actually from a string constant.
Hope that helps.
Feel free to ask if you have any other question.
the Telerik team
If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the OpenAccess ORM, subscribe to their blog feed