Reputation: 4932
When using DbSet<T>.SqlQuery(), how to use named parameters?
I'm a big fan of using named parameters instead of string-based parameter injection. It's type-safe and safe against most forms of SQL injection. In old ADO.NET, I would create a SqlCommand object and a bunch of SqlParameters for my query.
var sSQL = "select * from Users where Name = @Name";
var cmd = new SqlCommand(conn, sSQL);
cmd.Parameters.AddWithValue("@Name", "Bob");
cmd.ExecuteReader();
Now, in Entity Framework, it appears (on this link) to have regressed to a simple String.Format statement and string injection again: (simplified for discussion)
MyRepository.Users.SqlQuery("Select * from Users where Name = {0}", "Bob");
Is there a way to use named parameters with the Entity Framework DbSqlQuery class?
Upvotes: 6
Views: 3955
Answers (2)
Reputation: 77
Since I can't comment, I'm fixing the other answer:
var param = new ObjectParameter("p0", "Bob");
MyRepository.Users.SqlQuery("Select * from Users where Name = :p0", param);
You don't have to put a colon on the name when instantiating an ObjectParameter. That's why SLC got the error he mentioned in his comment.
Upvotes: 3
Reputation: 150293
var param = new ObjectParameter(":p0", "Bob");
MyRepository.Users.SqlQuery("Select * from Users where Name = :p0", param);
Upvotes: 4
Related Questions
- How to pass parameters to DbSet.SqlQuery Method in Entity Framework
- How to use SQL parameters to get dataset from SQL Server
- Use where clause in dynamic dbset in Entity Framework
- Entity Framework + sql injection
- Named parameters in asp.net mvc 5 SQL query
- Parametrized SQLQuery
- context database.sqlQuery<type>() with dynamic parameter list
- Using SQL Server named parameters with ExecuteStoreQuery and ExecuteStoreCommand
- What goes in the params parameter of the .SqlQuery() method in Entity Framework?
- SqlQuery(statement,params)