Database.ExecuteSqlCommand

Database.ExecuteSqlCommand is very useful when leveraging Entity Framework 4.1/4.2 Code First model to do the data access or object relational mapping. To make sure your code is bullet proof for SQL injection attacks, you must use the parameterized SQL script when calling this method. Following is an example for this purpose.

context.Database.ExecuteSqlCommand("delete MasterSmsCampaignCertificateInfo where MasterSmsCampaignGuid = @p0 and CertificateId = @p1",
    TheCampaignGuid,
    certInfo.CertificateId);

Comments

  • Anonymous
    May 30, 2012
    If you're doing a SQL WHERE [MasterSmsCampaignGuid] LIKE '%XYZ%PDQ%' what is the context.Database.ExecuteSqlCommand syntax?

  • Anonymous
    November 04, 2012
    You would do something like this context.Database.ExecuteSqlCommand("delete MasterSmsCampaignCertificateInfo where MasterSmsCampaignGuid LIKE '%' + @p0 + '%'", "XYZ%PDQ"); or context.Database.ExecuteSqlCommand("delete MasterSmsCampaignCertificateInfo where MasterSmsCampaignGuid LIKE '%' + @p0 + '%' + @p1 + '%'", "XYZ", "PDQ");