RelationalDatabaseFacadeExtensions.ExecuteSqlRaw Method
Definition
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Overloads
ExecuteSqlRaw(DatabaseFacade, String, IEnumerable<Object>) |
Executes the given SQL against the database and returns the number of rows affected. |
ExecuteSqlRaw(DatabaseFacade, String, Object[]) |
Executes the given SQL against the database and returns the number of rows affected. |
ExecuteSqlRaw(DatabaseFacade, String, IEnumerable<Object>)
Executes the given SQL against the database and returns the number of rows affected.
public static int ExecuteSqlRaw (this Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade databaseFacade, string sql, System.Collections.Generic.IEnumerable<object> parameters);
static member ExecuteSqlRaw : Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade * string * seq<obj> -> int
<Extension()>
Public Function ExecuteSqlRaw (databaseFacade As DatabaseFacade, sql As String, parameters As IEnumerable(Of Object)) As Integer
Parameters
- databaseFacade
- DatabaseFacade
The DatabaseFacade for the context.
- sql
- String
The SQL to execute.
- parameters
- IEnumerable<Object>
Parameters to use with the SQL.
Returns
The number of rows affected.
Remarks
Note that this method does not start a transaction. To use this method with a transaction, first call BeginTransaction(DatabaseFacade, IsolationLevel) or UseTransaction.
Note that the current ExecutionStrategy is not used by this method since the SQL may not be idempotent and does not run in a transaction. An ExecutionStrategy can be used explicitly, making sure to also use a transaction if the SQL is not idempotent.
As with any API that accepts SQL it is important to parameterize any user input to protect against a SQL injection attack. You can include parameter place holders in the SQL query string and then supply parameter values as additional arguments. Any parameter values you supply will automatically be converted to a DbParameter.
However, never pass a concatenated or interpolated string ($""
) with non-validated user-provided values into this method. Doing so may expose your application to SQL injection attacks. To use the interpolated string syntax, consider using ExecuteSql(DatabaseFacade, FormattableString) to create parameters.
See Executing raw SQL commands with EF Core for more information and examples.
Applies to
ExecuteSqlRaw(DatabaseFacade, String, Object[])
Executes the given SQL against the database and returns the number of rows affected.
public static int ExecuteSqlRaw (this Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade databaseFacade, string sql, params object[] parameters);
static member ExecuteSqlRaw : Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade * string * obj[] -> int
<Extension()>
Public Function ExecuteSqlRaw (databaseFacade As DatabaseFacade, sql As String, ParamArray parameters As Object()) As Integer
Parameters
- databaseFacade
- DatabaseFacade
The DatabaseFacade for the context.
- sql
- String
The SQL to execute.
- parameters
- Object[]
Parameters to use with the SQL.
Returns
The number of rows affected.
Remarks
Note that this method does not start a transaction. To use this method with a transaction, first call BeginTransaction(DatabaseFacade, IsolationLevel) or UseTransaction.
Note that the current ExecutionStrategy is not used by this method since the SQL may not be idempotent and does not run in a transaction. An ExecutionStrategy can be used explicitly, making sure to also use a transaction if the SQL is not idempotent.
As with any API that accepts SQL it is important to parameterize any user input to protect against a SQL injection attack. You can include parameter place holders in the SQL query string and then supply parameter values as additional arguments. Any parameter values you supply will automatically be converted to a DbParameter.
However, never pass a concatenated or interpolated string ($""
) with non-validated user-provided values into this method. Doing so may expose your application to SQL injection attacks. To use the interpolated string syntax, consider using ExecuteSql(DatabaseFacade, FormattableString) to create parameters.
See Executing raw SQL commands with EF Core for more information and examples.
Applies to
Entity Framework