问题
I'm a big fan of using named parameters instead of string-based parameter injection. It's type-safe and safe against most forms of SQL injection. In old ADO.NET, I would create a SqlCommand object and a bunch of SqlParameters for my query.
var sSQL = "select * from Users where Name = @Name";
var cmd = new SqlCommand(conn, sSQL);
cmd.Parameters.AddWithValue("@Name", "Bob");
cmd.ExecuteReader();
Now, in Entity Framework, it appears (on this link) to have regressed to a simple String.Format statement and string injection again: (simplified for discussion)
MyRepository.Users.SqlQuery("Select * from Users where Name = {0}", "Bob");
Is there a way to use named parameters with the Entity Framework DbSqlQuery class?
回答1:
var param = new ObjectParameter(":p0", "Bob");
MyRepository.Users.SqlQuery("Select * from Users where Name = :p0", param);
回答2:
Since I can't comment, I'm fixing the other answer:
var param = new ObjectParameter("p0", "Bob");
MyRepository.Users.SqlQuery("Select * from Users where Name = :p0", param);
You don't have to put a colon on the name when instantiating an ObjectParameter. That's why SLC got the error he mentioned in his comment.
来源:https://stackoverflow.com/questions/12925649/when-using-dbsett-sqlquery-how-to-use-named-parameters