I am trying to delete multiple rows in EF5 and I'm using the following code sample
string TestId = "12,23";
Context.Database.ExecuteSqlCommand("DELETE FROM TEST WHERE TESTID IN (@Params)", new SqlParameter("Params", TestId));
How do I pass SqlParameter for IN ? I am trying to pass a string of comma-separated values
Thanks
The only way you can pass dynamic number of values in the SQL query TESTID IN (...) part is to use a subselect. That applies to SQL query itself, so there is no parameter type that will solve your issue.
Your alternative is to build the query dynamically by using string concatenation and careful verification of each argument.
Since you are working with IDs they are probably integers.
List<int> testId = ...;
var sb = new StringBuilder();
sb.Append("DELETE FROM TEST WHERE TESTID IN (");
bool first = true;
foreach (var i in testId)
{
if (first)
first = false;
else
sb.Append(",");
sb.Append(i.ToString(CultureInfo.InvariantCulture));
}
sb.Append(")");
Context.Database.ExecuteSqlCommand(sb.ToString());
Since there are no string arguments that are being appended to the query you are safe from any SQL injections - there is no way an integer will contain malicious SQL code.
The usual approach when the number of IDs is very large (so that the query will fail during compilation for being too long) is to create a temp table and insert the IDs in it.
Another alternative is to pass in the values formatted as XML and in the SQL query write a subselect that retrieves them from the XML string.
