RelationalDatabaseFacadeExtensions.ExecuteSqlRawAsync Method

Definition

Overloads

ExecuteSqlRawAsync(DatabaseFacade, String, CancellationToken)

Executes the given SQL against the database and returns the number of rows affected.

Note that this method does not start a transaction. To use this method with a transaction, first call BeginTransaction(DatabaseFacade, IsolationLevel) or UseTransaction.

Note that the current ExecutionStrategy is not used by this method since the SQL may not be idempotent and does not run in a transaction. An ExecutionStrategy can be used explicitly, making sure to also use a transaction if the SQL is not idempotent.

var userSuppliedSearchTerm = ".NET";
context.Database.ExecuteSqlRawAsync("UPDATE Blogs SET Rank = 50 WHERE Name = {0}", userSuppliedSearchTerm);

Never pass a concatenated or interpolated string ($"") with non-validated user-provided values into this method. Doing so may expose your application to SQL injection attacks.

ExecuteSqlRawAsync(DatabaseFacade, String, Object[])

Executes the given SQL against the database and returns the number of rows affected.

Note that this method does not start a transaction. To use this method with a transaction, first call BeginTransaction(DatabaseFacade, IsolationLevel) or UseTransaction.

Note that the current ExecutionStrategy is not used by this method since the SQL may not be idempotent and does not run in a transaction. An ExecutionStrategy can be used explicitly, making sure to also use a transaction if the SQL is not idempotent.

As with any API that accepts SQL it is important to parameterize any user input to protect against a SQL injection attack. You can include parameter place holders in the SQL query string and then supply parameter values as additional arguments. Any parameter values you supply will automatically be converted to a DbParameter:

var userSuppliedSearchTerm = ".NET";
context.Database.ExecuteSqlRawAsync("UPDATE Blogs SET Rank = 50 WHERE Name = {0}", userSuppliedSearchTerm);

However, never pass a concatenated or interpolated string ($"") with non-validated user-provided values into this method. Doing so may expose your application to SQL injection attacks. To use the interpolated string syntax, consider using ExecuteSqlInterpolated(DatabaseFacade, FormattableString) to create parameters.

ExecuteSqlRawAsync(DatabaseFacade, String, IEnumerable<Object>, CancellationToken)

Executes the given SQL against the database and returns the number of rows affected.

Note that this method does not start a transaction. To use this method with a transaction, first call BeginTransaction(DatabaseFacade, IsolationLevel) or UseTransaction.

Note that the current ExecutionStrategy is not used by this method since the SQL may not be idempotent and does not run in a transaction. An ExecutionStrategy can be used explicitly, making sure to also use a transaction if the SQL is not idempotent.

As with any API that accepts SQL it is important to parameterize any user input to protect against a SQL injection attack. You can include parameter place holders in the SQL query string and then supply parameter values as additional arguments. Any parameter values you supply will automatically be converted to a DbParameter:

var userSuppliedSearchTerm = ".NET";
context.Database.ExecuteSqlRawAsync("UPDATE Blogs SET Rank = 50 WHERE Name = {0}", userSuppliedSearchTerm);

However, never pass a concatenated or interpolated string ($"") with non-validated user-provided values into this method. Doing so may expose your application to SQL injection attacks. To use the interpolated string syntax, consider using ExecuteSqlInterpolated(DatabaseFacade, FormattableString) to create parameters.

ExecuteSqlRawAsync(DatabaseFacade, String, CancellationToken)

Executes the given SQL against the database and returns the number of rows affected.

Note that this method does not start a transaction. To use this method with a transaction, first call BeginTransaction(DatabaseFacade, IsolationLevel) or UseTransaction.

Note that the current ExecutionStrategy is not used by this method since the SQL may not be idempotent and does not run in a transaction. An ExecutionStrategy can be used explicitly, making sure to also use a transaction if the SQL is not idempotent.

var userSuppliedSearchTerm = ".NET";
context.Database.ExecuteSqlRawAsync("UPDATE Blogs SET Rank = 50 WHERE Name = {0}", userSuppliedSearchTerm);

Never pass a concatenated or interpolated string ($"") with non-validated user-provided values into this method. Doing so may expose your application to SQL injection attacks.

public static System.Threading.Tasks.Task<int> ExecuteSqlRawAsync (this Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade databaseFacade, string sql, System.Threading.CancellationToken cancellationToken = default);
static member ExecuteSqlRawAsync : Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade * string * System.Threading.CancellationToken -> System.Threading.Tasks.Task<int>
<Extension()>
Public Function ExecuteSqlRawAsync (databaseFacade As DatabaseFacade, sql As String, Optional cancellationToken As CancellationToken = Nothing) As Task(Of Integer)

Parameters

databaseFacade
DatabaseFacade

The DatabaseFacade for the context.

sql
String

The SQL to execute.

cancellationToken
CancellationToken

A CancellationToken to observe while waiting for the task to complete.

Returns

Task<Int32>

A task that represents the asynchronous operation. The task result is the number of rows affected.

Exceptions

Remarks

See Executing raw SQL commands with EF Core for more information.

Applies to

ExecuteSqlRawAsync(DatabaseFacade, String, Object[])

Executes the given SQL against the database and returns the number of rows affected.

Note that this method does not start a transaction. To use this method with a transaction, first call BeginTransaction(DatabaseFacade, IsolationLevel) or UseTransaction.

Note that the current ExecutionStrategy is not used by this method since the SQL may not be idempotent and does not run in a transaction. An ExecutionStrategy can be used explicitly, making sure to also use a transaction if the SQL is not idempotent.

As with any API that accepts SQL it is important to parameterize any user input to protect against a SQL injection attack. You can include parameter place holders in the SQL query string and then supply parameter values as additional arguments. Any parameter values you supply will automatically be converted to a DbParameter:

var userSuppliedSearchTerm = ".NET";
context.Database.ExecuteSqlRawAsync("UPDATE Blogs SET Rank = 50 WHERE Name = {0}", userSuppliedSearchTerm);

However, never pass a concatenated or interpolated string ($"") with non-validated user-provided values into this method. Doing so may expose your application to SQL injection attacks. To use the interpolated string syntax, consider using ExecuteSqlInterpolated(DatabaseFacade, FormattableString) to create parameters.

public static System.Threading.Tasks.Task<int> ExecuteSqlRawAsync (this Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade databaseFacade, string sql, params object[] parameters);
static member ExecuteSqlRawAsync : Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade * string * obj[] -> System.Threading.Tasks.Task<int>
<Extension()>
Public Function ExecuteSqlRawAsync (databaseFacade As DatabaseFacade, sql As String, ParamArray parameters As Object()) As Task(Of Integer)

Parameters

databaseFacade
DatabaseFacade

The DatabaseFacade for the context.

sql
String

The SQL to execute.

parameters
Object[]

Parameters to use with the SQL.

Returns

Task<Int32>

A task that represents the asynchronous operation. The task result is the number of rows affected.

Remarks

See Executing raw SQL commands with EF Core for more information.

Applies to

ExecuteSqlRawAsync(DatabaseFacade, String, IEnumerable<Object>, CancellationToken)

Executes the given SQL against the database and returns the number of rows affected.

Note that this method does not start a transaction. To use this method with a transaction, first call BeginTransaction(DatabaseFacade, IsolationLevel) or UseTransaction.

Note that the current ExecutionStrategy is not used by this method since the SQL may not be idempotent and does not run in a transaction. An ExecutionStrategy can be used explicitly, making sure to also use a transaction if the SQL is not idempotent.

As with any API that accepts SQL it is important to parameterize any user input to protect against a SQL injection attack. You can include parameter place holders in the SQL query string and then supply parameter values as additional arguments. Any parameter values you supply will automatically be converted to a DbParameter:

var userSuppliedSearchTerm = ".NET";
context.Database.ExecuteSqlRawAsync("UPDATE Blogs SET Rank = 50 WHERE Name = {0}", userSuppliedSearchTerm);

However, never pass a concatenated or interpolated string ($"") with non-validated user-provided values into this method. Doing so may expose your application to SQL injection attacks. To use the interpolated string syntax, consider using ExecuteSqlInterpolated(DatabaseFacade, FormattableString) to create parameters.

public static System.Threading.Tasks.Task<int> ExecuteSqlRawAsync (this Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade databaseFacade, string sql, System.Collections.Generic.IEnumerable<object> parameters, System.Threading.CancellationToken cancellationToken = default);
static member ExecuteSqlRawAsync : Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade * string * seq<obj> * System.Threading.CancellationToken -> System.Threading.Tasks.Task<int>
<Extension()>
Public Function ExecuteSqlRawAsync (databaseFacade As DatabaseFacade, sql As String, parameters As IEnumerable(Of Object), Optional cancellationToken As CancellationToken = Nothing) As Task(Of Integer)

Parameters

databaseFacade
DatabaseFacade

The DatabaseFacade for the context.

sql
String

The SQL to execute.

parameters
IEnumerable<Object>

Parameters to use with the SQL.

cancellationToken
CancellationToken

A CancellationToken to observe while waiting for the task to complete.

Returns

Task<Int32>

A task that represents the asynchronous operation. The task result is the number of rows affected.

Exceptions

Remarks

See Executing raw SQL commands with EF Core for more information.

Applies to