3

I'm having troubles trying to execute a SQL query with repeated parameters using entity framework.

The query is a keyword search, that looks in different tables, therefore using the same parameter many times. I'm using LIKE statements (yes, I know I should be using FULLTEXTSEARCH, but I don't have time for that right now).

I've tried all the syntax explained here: How to use DbContext.Database.SqlQuery<TElement>(sql, params) with stored procedure? EF Code First CTP5 and none of them make the query work (I get zero returned rows).

I even tried building a string array in runtime, with length equal to the number of times the parameter repeats in the query, and then populating all the elements of the array with the keyword search term. Then I passed that as the object[] parameters. Didn't work either.

The only thing that works is to make a search&replace that is obviously a bad idea because the parameter comes from a text input, and I'll be vulnerable to SQL injection attacks.

The working code (vulnerable to SQL injection attacks, but the query returns rows):

//not the real query, but just for you to have an idea
string query =
    "SELECT Field1, " +
    "       Field2 " +
    "FROM   Table1 " +
    "WHERE  UPPER(Field1) LIKE '%{0}%' " +
    "OR     UPPER(Field2) LIKE '%{0}%'";

//keywordSearchTerms is NOT sanitized
query = query.Replace("{0}", keywordSearchTerms.ToUpper());

List<ProjectViewModel> list = null;
using (var context = new MyContext())
{
    list = context.Database.SqlQuery<ProjectViewModel>(query, new object[] { }).ToList();
}
return list;

I'm using ASP.NET MVC 4, .NET 4.5, SQL Server 2008 and Entity Framework 5.

Any thoughts on how to make the SQLQuery<> method populate all the occurrences of the parameter in the query string? Thank you very much for your time.

Community
  • 1
  • 1
Juan Paredes
  • 769
  • 4
  • 12
  • 22

3 Answers3

5

Try this:

string query =
    @"SELECT Field1,
          Field2 FROM Table1
      WHERE UPPER(Field1) LIKE '%' + @searchTerm + '%'
      OR UPPER(Field2) LIKE '%' + @searchTerm + '%'";
 
context
    .SqlQuery<ProjectViewModel>(query, new SqlParameter("@searchTerm", searchTerm))
    .ToList();
Heavy JS
  • 51
  • 7
serefbilge
  • 1,654
  • 4
  • 29
  • 55
0

You can use parameters in your query. Something like this

string query =
 "SELECT Field1, " +
 "       Field2 " +
 "FROM   Table1 " +
 "WHERE  UPPER(Field1) LIKE @searchTerm" +
 "OR     UPPER(Field2) LIKE @searchTerm";

        string search= string.Format("%{0}%", keywordSearchTerms);

        context.SqlQuery<ProjectViewModel>(query, new SqlParameter("@searchTerm", search)).ToList();
Jurica Smircic
  • 6,117
  • 2
  • 22
  • 27
-2

how about try this 

string query =
string.Format("SELECT Field1, Field2 FROM   Table1 WHERE  UPPER(Field1) LIKE '%{0}%' 
OR     UPPER(Field2) LIKE '%{0}%'",keywordSearchTerms.ToUpper());

context. Database.SqlQuery< ProjectViewModel >(query)
Cloudsan Chen
  • 329
  • 1
  • 10
  • I also tried this. In fact, I think it was one of my first attemps. It doesn't throw an exception, but the query returns zero results. Thanks. – Juan Paredes Apr 30 '13 at 13:54
  • Did you try to use the query in SQL Management Studio? – Cloudsan Chen Apr 30 '13 at 13:56
  • what's your keywordSearchTerms? is it a single word? or multiple words? – Cloudsan Chen Apr 30 '13 at 14:36
  • The query works. When I use search&replace on the query string, the method gives back results for certain searches I have prepared for testing. It also works on SQL Management studio. So is not the query that is wrong. What I think the problem is that the SqlQuery(query, params) method does not substitute the parameter placeholders in the query string with the sanitized value. Finally I don't think is relevant the value of the keywordSearchTerms. The LIKE operator works with strings, regardless of single or multiple words, as far as I know. Thanks for your time. – Juan Paredes Apr 30 '13 at 15:43
  • 4
    Since you're using string.Format to do the parameter replacement instead of SqlParameter, isn't this method susceptible to SQL injection? – Ellesedil Jun 11 '14 at 20:04