Database.ExecuteSqlCommand

Database.ExecuteSqlCommand is very useful when leveraging Entity Framework 4.1/4.2 Code First model to do the data access or object relational mapping. To make sure your code is bullet proof for SQL injection attacks, you must use the parameterized SQL script when calling this method. Following is an example for this purpose.

context.Database.ExecuteSqlCommand("delete MasterSmsCampaignCertificateInfo where MasterSmsCampaignGuid = @p0 and CertificateId = @p1",
    TheCampaignGuid,
    certInfo.CertificateId);

Comments

• Anonymous
  May 30, 2012
  If you're doing a SQL WHERE [MasterSmsCampaignGuid] LIKE '%XYZ%PDQ%' what is the context.Database.ExecuteSqlCommand syntax?

• Anonymous
  November 04, 2012
  You would do something like this context.Database.ExecuteSqlCommand("delete MasterSmsCampaignCertificateInfo where MasterSmsCampaignGuid LIKE '%' + @p0 + '%'", "XYZ%PDQ"); or context.Database.ExecuteSqlCommand("delete MasterSmsCampaignCertificateInfo where MasterSmsCampaignGuid LIKE '%' + @p0 + '%' + @p1 + '%'", "XYZ", "PDQ");