Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Let's just suppose I have a valid need for directly executing a sql command in Entity Framework. I am having trouble figuring out how to use parameters in my sql statement. The following example (not my real example) doesn't work.

var firstName = "John";
var id = 12;
var sql = @"Update [User] SET FirstName = @FirstName WHERE Id = @Id";
ctx.Database.ExecuteSqlCommand(sql, firstName, id);
The ExecuteSqlCommand method doesn't allow you to pass in named parameters like in ADO.Net and the documentation for this method doesn't give any examples on how to execute a parameterized query.
How do I specify the parameters correctly?
var sql = @"Update [User] SET FirstName = @FirstName WHERE Id = @Id";
ctx.Database.ExecuteSqlCommand(
    new SqlParameter("@FirstName", firstname),
    new SqlParameter("@Id", id));
                This really should be the answer marked correct, the one above is prone to attacks and is not best practices.
– Min
                Oct 28, 2014 at 20:52
                @Min, the accepted answer is no more prone to attacks than this answer. Maybe you thought it was using string.Format - it's not.
– Simon MᶜKenzie
                Nov 25, 2014 at 4:35
                This should be marked as answer! This is the one and only correct answer because it works with DateTime.
– Sven
                Jan 7, 2015 at 13:43
var firstName = "John";
var id = 12;
var sql = "Update [User] SET FirstName = {0} WHERE Id = {1}";
ctx.Database.ExecuteSqlCommand(sql, firstName, id);
                This will work, but this mechanism allows for SQL injection and also prevents the database from reusing an execution plan when the statement shows up again but with different values.
– Greg Biles
                Nov 4, 2011 at 16:52
                @GregB I do not think you are correct here. I have tested that it won't allow me to, for instance, terminate a string literal early. Moreover, I looked at the source code and found that it's using DbCommand.CreateParameter to wrap up any raw values into parameters. So no SQL injection, and a nice succinct method invocation.
– Josh Gallagher
                Nov 17, 2011 at 11:52
                @JoshGallagher Yes, you're right.  I was thinking of a string.Format scenario putting this together.
– Greg Biles
                Dec 7, 2011 at 22:07
                It does NOT work as of SQL Server 2008 R2. You'll have @p0, @p2, ..., @pN instead of parameters you passed. Use SqlParameter("@paramName", value) instead.
– Arnthor
                Jun 19, 2014 at 10:13
                @GregBiles and others:  This overload is definitely NOT using string formatting, even though it looks like it.  If you look at the sql in profiler, it is parameterized.  .NET is doing the right thing in this case and changing {0} to `@p0, then parameterizing.  It's a trade-off.  It does look like evil string.format, but it is more concise (and db agnostic, see other answer below) than having to do new SqlParameter("@foo",paramvalue)
– Daniel
                Oct 15, 2019 at 14:54
1) Pass raw arguments and use the {0} syntax. E.g:
DbContext.Database.SqlQuery("StoredProcedureName {0}", paramName);
2) Pass DbParameter subclass arguments and use @ParamName syntax. 
DbContext.Database.SqlQuery("StoredProcedureName @ParamName", 
                                   new SqlParameter("@ParamName", paramValue);
If you use the first syntax, EF will actually wrap your arguments with DbParamater classes, assign them names, and replace {0} with the generated parameter name.
The first syntax if preferred because you don't need to use a factory or know what type of DbParamaters to create (SqlParameter, OracleParamter, etc.).
                Upvoted for mentioning that the {0} syntax is database agnostic.    "... you dont[sic] need to use a factory or know what type of DbParamaters[sic] to create ..."
– Makotosan
                Mar 17, 2015 at 18:51
                Scenario 1 is deprecated in favour of an interpolated version.   Equivalent is now: DbContext.Database.ExecuteSqlInterpolated($"StoredProcedureName {paramName}");
– ScottB
                Jan 26, 2020 at 21:29
The other answers don't work when using Oracle.  You need to use : instead of @.
var sql = "Update [User] SET FirstName = :FirstName WHERE Id = :Id";
context.Database.ExecuteSqlCommand(
   new OracleParameter(":FirstName", firstName), 
   new OracleParameter(":Id", id));
                Thank god no one uses Oracle.  Well not voluntarily!  EDIT: Apologies for the late joke!  EDIT: Apologies for the bad joke!
– Chris Bordeman
                Jun 4, 2020 at 17:29
Try this (edited):
ctx.Database.ExecuteSqlCommand(sql, new SqlParameter("FirstName", firstName), 
                                    new SqlParameter("Id", id));
Previous idea was wrong. 
                When I do that I get the following error: "No mapping exists from object type System.Data.Objects.ObjectParameter to a known managed provider native type."
– jessegavin
                Mar 29, 2011 at 15:27
                DbParameter is abstract. You'll have to use SqlParameter or use a DbFactory to create a DbParameter.
– jrummell
                Jul 15, 2011 at 15:14
For entity Framework Core 2.0 or above, the correct way to do this is:
var firstName = "John";
var id = 12;
ctx.Database.ExecuteSqlCommand($"Update [User] SET FirstName = {firstName} WHERE Id = {id}");
Note that Entity Framework will produce the two parameters for you, so you are protected from Sql Injection.
Also note that it is NOT:
var firstName = "John";
var id = 12;
var sql = $"Update [User] SET FirstName = {firstName} WHERE Id = {id}";
ctx.Database.ExecuteSqlCommand(sql);
because this does NOT protect you from Sql Injection, and no parameters are produced.
See this for more.
                I can see some people's enthusiasm since .NET Core 2.0 has been a smoother ride for me so far.
– Paul Carlton
                Jul 8, 2019 at 13:54
                How is the first one not vulnerable to SQL injection? Both use C# string interpolation. The first one wouldn't be able to preempt the string expansion, as far as I know. I suspect you meant that to be ctx.Database.ExecuteSqlCommand("Update [User] SET FirstName = {firstName} WHERE Id = {id}", firstName, id);
– CodeNaked
                Aug 20, 2019 at 14:14
Simplified version for Oracle. If you don't want to create OracleParameter
var sql = "Update [User] SET FirstName = :p0 WHERE Id = :p1";
context.Database.ExecuteSqlCommand(sql, firstName, id);
var id = 12;
ctx.Database.ExecuteSqlCommand(@"Update [User] SET FirstName = {0} WHERE Id = {1}"
, new object[]{ firstName, id });
This is so simple !!!
Image for knowing parameter reference
For the async Method ("ExecuteSqlCommandAsync") you can use it like this:
var sql = @"Update [User] SET FirstName = @FirstName WHERE Id = @Id";
await ctx.Database.ExecuteSqlCommandAsync(
    parameters: new[]{
        new SqlParameter("@FirstName", firstname),
        new SqlParameter("@Id", id)
                This is not db-agnostic, it will only work for MS-SQL Server. It will fail for Oracle or PG.
– ANeves
                Jun 26, 2018 at 15:45
If your underlying database data types are varchar then you should stick with the approach below. Otherwise the query would have a huge performance impact.
var firstName = new SqlParameter("@firstName", System.Data.SqlDbType.VarChar, 20)
                                Value = "whatever"
var id = new SqlParameter("@id", System.Data.SqlDbType.Int)
                                Value = 1
ctx.Database.ExecuteSqlCommand(@"Update [User] SET FirstName = @firstName WHERE Id = @id"
                               , firstName, id);
You can check Sql profiler to see the difference.
public static class DbEx {
    public static IEnumerable<T> SqlQueryPrm<T>(this System.Data.Entity.Database database, string sql, object parameters) {
        using (var tmp_cmd = database.Connection.CreateCommand()) {
            var dict = ToDictionary(parameters);
            int i = 0;
            var arr = new object[dict.Count];
            foreach (var one_kvp in dict) {
                var param = tmp_cmd.CreateParameter();
                param.ParameterName = one_kvp.Key;
                if (one_kvp.Value == null) {
                    param.Value = DBNull.Value;
                } else {
                    param.Value = one_kvp.Value;
                arr[i] = param;
            return database.SqlQuery<T>(sql, arr);
    private static IDictionary<string, object> ToDictionary(object data) {
        var attr = System.Reflection.BindingFlags.Public | System.Reflection.BindingFlags.Instance;
        var dict = new Dictionary<string, object>();
        foreach (var property in data.GetType().GetProperties(attr)) {
            if (property.CanRead) {
                dict.Add(property.Name, property.GetValue(data, null));
        return dict;
Usage:
var names = db.Database.SqlQueryPrm<string>("select name from position_category where id_key=@id_key", new { id_key = "mgr" }).ToList();
                Any chance you could explain this code and why it is an answer to the question posed, so that those who come and find this later can understand it?
– Andrew Barber
                Sep 25, 2012 at 4:38
                Problem with {0} syntax that you loose readability - i personally do not really like it. Problem with passing SqlParameters that you need to specify concrete implementation of DbParameter (SqlParameter, OracleParameter etc.). The provided example allows you to avoid these issues.
– Neco
                Oct 11, 2013 at 18:22
                I guess that's a valid opinion, but you have not answered the question actually being asked here; How to pass parameters to ExecuteSqlCommand() You should be sure to answer the specific question being asked when you post answers.
– Andrew Barber
                Oct 11, 2013 at 21:17
                Downvoted because it is unnecessarily complicated (e.g. uses reflection, re-inventing the wheel, fails to account for different database providers)
– an phu
                Mar 20, 2015 at 19:55
                Up-voted because it shows one of the possible solutions. I'm sure ExecuteSqlCommand accepts parameters the same way SqlQuery does.I also like Dapper.net style of passing the parameters.
– Zar Shardan
                Jun 29, 2016 at 11:49
Stored procedures can be executed like below
 string cmd = Constants.StoredProcs.usp_AddRoles.ToString() + " @userId, @roleIdList";
                        int result = db.Database
                                       .ExecuteSqlCommand
                                           new SqlParameter("@userId", userId),
                                           new SqlParameter("@roleIdList", roleId)
For .NET Core 2.2, you can use FormattableString for dynamic SQL. 
//Assuming this is your dynamic value and this not coming from user input
var tableName = "LogTable"; 
// let's say target date is coming from user input
var targetDate = DateTime.Now.Date.AddDays(-30);
var param = new SqlParameter("@targetDate", targetDate);  
var sql = string.Format("Delete From {0} Where CreatedDate < @targetDate", tableName);
var froamttedSql = FormattableStringFactory.Create(sql, param);
_db.Database.ExecuteSqlCommand(froamttedSql);
        
Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.