This executes the provided SQL and returns the number of rows modified. Var rowsModified = ($"UPDATE SET = NULL") This can be done via ExecuteSql: using (var context = new BloggingContext()) In some scenarios, it may be necessary to execute SQL which does not return any data, typically for modifying data in the database or calling a stored procedure which doesn't return any result sets. SqlQueryRaw allows for dynamic construction of SQL queries, just like FromSqlRaw does for entity types. If you'd like to use a type not supported by your database provider, you can use pre-convention configuration to define a value conversion for it. Where(id => id > (b => b.BlogId))įromSql can be used with any scalar type supported by your database provider. For example, the following query returns the IDs which are above the ID average: var overAverageIds = context.Database However, since your SQL becomes a subquery whose output column needs to be referenced by the SQL EF adds, you must name the output column Value. You can also compose LINQ operators over your SQL query. For example, the following query fetches all the IDs from the Blogs table: var ids = context.Database While FromSql is useful for querying entities defined in your model, SqlQuery allows you to easily query for scalar, non-entity types via SQL, without needing to drop down to lower-level data access APIs. This feature was introduced in EF Core 7.0. FromSql($"EXECUTE dbo.GetMostPopularBlogsForUser )") The following example passes a single parameter to a stored procedure by including a parameter placeholder in the SQL query string and providing an additional argument: var user = "johndoe" ![]() However, the FromSqlRaw method can be vulnerable to SQL injection attacks, if improperly used. The FromSql and FromSqlInterpolated methods are safe against SQL injection, and always integrate parameter data as a separate SQL parameter. To learn more about SQL injection, see this page. SQL injection occurs when a program integrates a user-provided string value into a SQL query, and the user-provided value is crafted to terminate the string and perform another malicious SQL operation. When introducing any user-provided values into a SQL query, care must be taken to avoid SQL injection attacks. ![]() Pay close attention to parameterization when using SQL queries
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |