RelationalDatabaseFacadeExtensions.ExecuteSqlCommand Method

Definition

Overloads

ExecuteSqlCommand(DatabaseFacade, FormattableString)

Executes the given SQL against the database and returns the number of rows affected.

Note that this method does not start a transaction. To use this method with a transaction, first call BeginTransaction(DatabaseFacade, IsolationLevel) or UseTransaction(DatabaseFacade, DbTransaction).

Note that the current ExecutionStrategy is not used by this method since the SQL may not be idempotent and does not run in a transaction. An ExecutionStrategy can be used explicitly, making sure to also use a transaction if the SQL is not idempotent.

As with any API that accepts SQL it is important to parameterize any user input to protect against a SQL injection attack. You can include parameter place holders in the SQL query string and then supply parameter values as additional arguments. Any parameter values you supply will automatically be converted to a DbParameter -

context.Database.ExecuteSqlCommand($"SELECT * FROM [dbo].[SearchBlogs]({userSuppliedSearchTerm})")
.

ExecuteSqlCommand(DatabaseFacade, RawSqlString, IEnumerable<Object>)

Executes the given SQL against the database and returns the number of rows affected.

Note that this method does not start a transaction. To use this method with a transaction, first call BeginTransaction(DatabaseFacade, IsolationLevel) or UseTransaction(DatabaseFacade, DbTransaction).

Note that the current ExecutionStrategy is not used by this method since the SQL may not be idempotent and does not run in a transaction. An ExecutionStrategy can be used explicitly, making sure to also use a transaction if the SQL is not idempotent.

As with any API that accepts SQL it is important to parameterize any user input to protect against a SQL injection attack. You can include parameter place holders in the SQL query string and then supply parameter values as additional arguments. Any parameter values you supply will automatically be converted to a DbParameter. You can also consider using ExecuteSqlInterpolated to use interpolated string syntax to create parameters.

ExecuteSqlCommand(DatabaseFacade, RawSqlString, Object[])

Executes the given SQL against the database and returns the number of rows affected.

Note that this method does not start a transaction. To use this method with a transaction, first call BeginTransaction(DatabaseFacade, IsolationLevel) or UseTransaction(DatabaseFacade, DbTransaction).

Note that the current ExecutionStrategy is not used by this method since the SQL may not be idempotent and does not run in a transaction. An ExecutionStrategy can be used explicitly, making sure to also use a transaction if the SQL is not idempotent.

As with any API that accepts SQL it is important to parameterize any user input to protect against a SQL injection attack. You can include parameter place holders in the SQL query string and then supply parameter values as additional arguments. Any parameter values you supply will automatically be converted to a DbParameter -

context.Database.ExecuteSqlCommand("SELECT * FROM [dbo].[SearchBlogs]({0})", userSuppliedSearchTerm)
. You can also consider using ExecuteSqlInterpolated to use interpolated string syntax to create parameters.

ExecuteSqlCommand(DatabaseFacade, String, Object[])

ExecuteSqlCommand(DatabaseFacade, FormattableString)

Warning

This API is now obsolete.

Executes the given SQL against the database and returns the number of rows affected.

Note that this method does not start a transaction. To use this method with a transaction, first call BeginTransaction(DatabaseFacade, IsolationLevel) or UseTransaction(DatabaseFacade, DbTransaction).

Note that the current ExecutionStrategy is not used by this method since the SQL may not be idempotent and does not run in a transaction. An ExecutionStrategy can be used explicitly, making sure to also use a transaction if the SQL is not idempotent.

As with any API that accepts SQL it is important to parameterize any user input to protect against a SQL injection attack. You can include parameter place holders in the SQL query string and then supply parameter values as additional arguments. Any parameter values you supply will automatically be converted to a DbParameter -

context.Database.ExecuteSqlCommand($"SELECT * FROM [dbo].[SearchBlogs]({userSuppliedSearchTerm})")
.

public static int ExecuteSqlCommand (this Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade databaseFacade, FormattableString sql);
[System.Obsolete("For the execution of SQL queries using plain strings, use ExecuteSqlRaw instead. For the execution of SQL queries using interpolated string syntax to create parameters, use ExecuteSqlInterpolated instead.")]
public static int ExecuteSqlCommand (this Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade databaseFacade, FormattableString sql);
static member ExecuteSqlCommand : Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade * FormattableString -> int

Parameters

databaseFacade
DatabaseFacade

The DatabaseFacade for the context.

sql
FormattableString

The interpolated string representing a SQL query with parameters.

Returns

Int32

The number of rows affected.

Attributes

ExecuteSqlCommand(DatabaseFacade, RawSqlString, IEnumerable<Object>)

Warning

This API is now obsolete.

Executes the given SQL against the database and returns the number of rows affected.

Note that this method does not start a transaction. To use this method with a transaction, first call BeginTransaction(DatabaseFacade, IsolationLevel) or UseTransaction(DatabaseFacade, DbTransaction).

Note that the current ExecutionStrategy is not used by this method since the SQL may not be idempotent and does not run in a transaction. An ExecutionStrategy can be used explicitly, making sure to also use a transaction if the SQL is not idempotent.

As with any API that accepts SQL it is important to parameterize any user input to protect against a SQL injection attack. You can include parameter place holders in the SQL query string and then supply parameter values as additional arguments. Any parameter values you supply will automatically be converted to a DbParameter. You can also consider using ExecuteSqlInterpolated to use interpolated string syntax to create parameters.

public static int ExecuteSqlCommand (this Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade databaseFacade, Microsoft.EntityFrameworkCore.RawSqlString sql, System.Collections.Generic.IEnumerable<object> parameters);
[System.Obsolete("For the execution of SQL queries using plain strings, use ExecuteSqlRaw instead. For the execution of SQL queries using interpolated string syntax to create parameters, use ExecuteSqlInterpolated instead.")]
public static int ExecuteSqlCommand (this Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade databaseFacade, Microsoft.EntityFrameworkCore.RawSqlString sql, System.Collections.Generic.IEnumerable<object> parameters);
static member ExecuteSqlCommand : Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade * Microsoft.EntityFrameworkCore.RawSqlString * seq<obj> -> int

Parameters

databaseFacade
DatabaseFacade

The DatabaseFacade for the context.

sql
RawSqlString

The SQL to execute.

parameters
IEnumerable<Object>

Parameters to use with the SQL.

Returns

Int32

The number of rows affected.

Attributes

ExecuteSqlCommand(DatabaseFacade, RawSqlString, Object[])

Warning

This API is now obsolete.

Executes the given SQL against the database and returns the number of rows affected.

Note that this method does not start a transaction. To use this method with a transaction, first call BeginTransaction(DatabaseFacade, IsolationLevel) or UseTransaction(DatabaseFacade, DbTransaction).

Note that the current ExecutionStrategy is not used by this method since the SQL may not be idempotent and does not run in a transaction. An ExecutionStrategy can be used explicitly, making sure to also use a transaction if the SQL is not idempotent.

As with any API that accepts SQL it is important to parameterize any user input to protect against a SQL injection attack. You can include parameter place holders in the SQL query string and then supply parameter values as additional arguments. Any parameter values you supply will automatically be converted to a DbParameter -

context.Database.ExecuteSqlCommand("SELECT * FROM [dbo].[SearchBlogs]({0})", userSuppliedSearchTerm)
. You can also consider using ExecuteSqlInterpolated to use interpolated string syntax to create parameters.

public static int ExecuteSqlCommand (this Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade databaseFacade, Microsoft.EntityFrameworkCore.RawSqlString sql, params object[] parameters);
[System.Obsolete("For the execution of SQL queries using plain strings, use ExecuteSqlRaw instead. For the execution of SQL queries using interpolated string syntax to create parameters, use ExecuteSqlInterpolated instead.")]
public static int ExecuteSqlCommand (this Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade databaseFacade, Microsoft.EntityFrameworkCore.RawSqlString sql, params object[] parameters);
static member ExecuteSqlCommand : Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade * Microsoft.EntityFrameworkCore.RawSqlString * obj[] -> int

Parameters

databaseFacade
DatabaseFacade

The DatabaseFacade for the context.

sql
RawSqlString

The SQL to execute.

parameters
Object[]

Parameters to use with the SQL.

Returns

Int32

The number of rows affected.

Attributes

ExecuteSqlCommand(DatabaseFacade, String, Object[])

public static int ExecuteSqlCommand (this Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade databaseFacade, string sql, params object[] parameters);
static member ExecuteSqlCommand : Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade * string * obj[] -> int

Parameters

databaseFacade
DatabaseFacade
sql
String
parameters
Object[]

Returns

Int32

Applies to