Entity framework SqlQuery execute query with repeated parameter
Try this:
string query =
@"SELECT Field1,
Field2
FROM Table1
WHERE UPPER(Field1) LIKE '%' + @searchTerm + '%'
OR UPPER(Field2) LIKE '%' + @searchTerm + '%'";
context.SqlQuery<ProjectViewModel>(query, new SqlParameter("@searchTerm", searchTerm)).ToList();
Vikas hatwal
Updated on June 04, 2022Comments
-
Vikas hatwal almost 2 years
I'm having troubles trying to execute a SQL query with repeated parameters using entity framework.
The query is a keyword search, that looks in different tables, therefore using the same parameter many times. I'm using LIKE statements (yes, I know I should be using FULLTEXTSEARCH, but I don't have time for that right now).
I've tried all the syntax explained here: How to use DbContext.Database.SqlQuery<TElement>(sql, params) with stored procedure? EF Code First CTP5 and none of them make the query work (I get zero returned rows).
I even tried building a string array in runtime, with length equal to the number of times the parameter repeats in the query, and then populating all the elements of the array with the keyword search term. Then I passed that as the object[] parameters. Didn't work either.
The only thing that works is to make a search&replace that is obviously a bad idea because the parameter comes from a text input, and I'll be vulnerable to SQL injection attacks.
The working code (vulnerable to SQL injection attacks, but the query returns rows):
//not the real query, but just for you to have an idea string query = "SELECT Field1, " + " Field2 " + "FROM Table1 " + "WHERE UPPER(Field1) LIKE '%{0}%' " + "OR UPPER(Field2) LIKE '%{0}%'"; //keywordSearchTerms is NOT sanitized query = query.Replace("{0}", keywordSearchTerms.ToUpper()); List<ProjectViewModel> list = null; using (var context = new MyContext()) { list = context.Database.SqlQuery<ProjectViewModel>(query, new object[] { }).ToList(); } return list;I'm using ASP.NET MVC 4, .NET 4.5, SQL Server 2008 and Entity Framework 5.
Any thoughts on how to make the SQLQuery<> method populate all the occurrences of the parameter in the query string? Thank you very much for your time.
-
Vikas hatwal about 11 yearsI tried this. It throws a SqlException: Must declare the scalar variable "@searchTerm". Thanks for the suggestion.
-
Vikas hatwal about 11 yearsI also tried this. In fact, I think it was one of my first attemps. It doesn't throw an exception, but the query returns zero results. Thanks.
-
Cloudsan Chen about 11 yearsDid you try to use the query in SQL Management Studio?
-
Cloudsan Chen about 11 yearswhat's your keywordSearchTerms? is it a single word? or multiple words?
-
Vikas hatwal about 11 yearsThe query works. When I use search&replace on the query string, the method gives back results for certain searches I have prepared for testing. It also works on SQL Management studio. So is not the query that is wrong. What I think the problem is that the SqlQuery<T>(query, params) method does not substitute the parameter placeholders in the query string with the sanitized value. Finally I don't think is relevant the value of the keywordSearchTerms. The LIKE operator works with strings, regardless of single or multiple words, as far as I know. Thanks for your time.
-
Ellesedil almost 10 yearsSince you're using string.Format to do the parameter replacement instead of SqlParameter, isn't this method susceptible to SQL injection?