Profile cover photo
Profile photo
Rowan Miller

Post has attachment
Hi Darren,

I work on the EF team at Microsoft. It might be good to include a code snippet to show folks how to correctly parameterize using SqlQuery - just to make it clear that there is a SQL injection resilient way to use the API (I realize the point of your post isn't that this method is always dangerous but that it can be dangerous if used incorrectly).

var result = context.Database.SqlQuery<Book>("SELECT * FROM Books WHERE Title LIKE @p0", "%" + title + "%");

This avoids string concatenation and runs a truly parameterized query against the database. Note that you can either pass 'title' directly (as shown here) and EF will create the parameter object for you, or create your own SqlPatameter directly and pass that in (as you did in the stored procedure example).

Add a comment...
Wait while more posts are being loaded