Home Library Learn Downloads Support Community
Sign in | United States - English | |
0 out of 1 rated this helpful - Rate this topic

ObjectContext.ExecuteStoreCommand Method

.NET Framework 4

Executes an arbitrary command directly against the data source using the existing connection.

Namespace:  System.Data.Objects
Assembly:  System.Data.Entity (in System.Data.Entity.dll)
C#
C++
F#
VB
Copy 
public int ExecuteStoreCommand(
	string commandText,
	params Object[] parameters
)

Parameters

commandText
Type: System.String
The command to execute, in the native language of the data source.
parameters
Type: System.Object[]
An array of parameters to pass to the command.

Return Value

Type: System.Int32
The number of rows affected.

Using parameterized commands helps guard against SQL injection attacks, in which an attacker "injects" a command into a SQL statement that compromises security on the server. Parameterized commands guard against a SQL injection attack by guaranteeing that values received from an external source are passed as values only, and not part of the SQL statement. As a result, SQL commands inserted into a value are not executed at the data source. Rather, they are evaluated only as a parameter value. In addition to the security benefits, parameterized commands provide a convenient method for organizing values passed with a SQL statement or to a stored procedure.

The parameters value can be an array of DbParameter objects or an array of parameter values. If only values are supplied, an array of DbParameter objects are created based on the order of the values in the array.

The store command is executed in the context of the current transaction, if a current transaction exists.

For more information, see:

Executing Store Commands and

How to: Directly Execute Arbitrary Command Against the Store

.NET Framework

Supported in: 4

.NET Framework Client Profile

Supported in: 4

Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows Server 2008 (Server Core not supported), Windows Server 2008 R2 (Server Core supported with SP1 or later), Windows Server 2003 SP2

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.
Did you find this helpful?
(1500 characters remaining)
Community Content Add
Annotations FAQ
Examples

As the parameters parameter is a param array, an array of objects does not need to be created explicitly, as the .NET system will handle this internally.

Because of this the previous example can be coded more simply as:

string insertpayment = "INSERT INTO Payment(Amount, Creditor) VALUES ({0}, {1})"
context.ExecuteStoreCommand(insertpayment, 400, "John");
History
Clarification regarding Return Value
The article states that ExecuteStoreCommand returns "the number of rows affected."  While this is true for certain types of database commands (UPDATE, INSERT, DELETE, etc.) there are cases where the return code may not be a valid count of affected rows.  For example, executing the command "DBCC CHECKIDENT('tablename', RESEED)" on MS SQL Server 2010 results in a return value of -1.
History
Example
string insertpayment = "Insert into Payment(Amount,Creditor) values ({0},{1})";
context.ExecuteStoreCommand(insertpayment, new object[] { 400, "John" });

from: http://social.msdn.microsoft.com/Forums/en-US/adonetefx/thread/ad8a0f7c-7587-4fca-b204-2488a3ec6fe8
History