With EF 4.1 or newer, you can execute any database command directly. The methods described in this section allow you to execute native SQL commands against the database.
Get entity object set through SQL query statement
The SqlQuery method in the DbSet class allows you to execute a native SQL query that returns a set of entity objects. By default, the returned set of objects is tracked by the context; this can be canceled by calling the AsNoTracking method on the DbSqlQuery object returned by the method. The returned result set is generally It is the type corresponding to DbSet, otherwise even its derived classes cannot be returned. If the queried table contains data of other entity types, the executed SQL statement should be written correctly to ensure that only the data of the specified type of entity is returned. The following example executes an SQL query using the SqlQuery method, returning a set of instances of type Department.
using (var context = new SchoolEntities())
{
var departments = context.Departments.SqlQuery(
"select * from Department").ToList();
}
Annotation : The AsNoTracking method must be called before the query is executed, and the call after the query is executed is invalid.
Get a set of non-entity objects through an SQL query
Execute native SQL commands through the SqlQuery method in the Database class, which can return any type of instance, including native types in .Net. But the acquired data will not be tracked by the context object, even if we use this method to retrieve the entity object. Such as:
using (var context = new SchoolEntities())
{
var names = context.Database.SqlQuery<string>("select Name from Department").ToList();
}
Let the database execute native non-query SQL commands
Non-query commands can be executed through the ExecuteSqlCommand method in the Database class . For example:
using (var context = new SchoolEntities())
{
context.Database.ExecuteSqlCommand("update Department set Name = 'Mathematics' where Name = 'Math'");
}
The ExecuteSqlCommand method is sometimes used in the initialization function of the database created by Code First to perform some additional configuration of the database (for example, setting indexes). It should be noted that the context object does not know what is in the database after executing the ExecuteSqlCommand method. The data has changed unless you load or reload the entity set from the database.
call stored procedure
Code First does not support mapping of stored procedures. However, you can call stored procedures directly through the ExecuteSqlCommand or SqlQuery methods. For example: context.Database.ExecuteSqlCommand ("EXECUTE [dbo].[DoSomething]").
Annotation : The three methods mentioned in this article (DbSet.SqlQuery, Database.SqlQuery, Database.ExecuteSqlCommand) all support parameterized queries . The usage is similar to string.Format, but the incoming parameters are type-converted when the query is executed. For example: context.Departments.SqlQuery("select * from Department where DepartmentID = {0}", "6"); When the statement is executed, the string "6" will be converted into an integer and then substituted into the query statement for execution. Effectively prevent SQL injection.
Prevent SQL Injection Attacks
Applications often need to obtain input from the outside (from users and other external agents), and then perform actions based on those inputs. Any information obtained directly or indirectly from the user or external agents may exploit the syntax of the target programming language to perform illegal operations. When the target language is Structured Query Language (SQL), such as Transact-SQL, this operation is called a SQL injection attack. A malicious user can inject commands directly into the query to perform the operation, delete a table in the database, and deny service Or modify the nature of the operation being performed. So you should use a parameterized query instead of directly inserting an externally obtained string into the query string.