C# safely build an SQL string to execute using Entity Framework -

i'm executing sql using ef .sqlquery(string sql) command.

i want make sure sql string sanitised, logic approach use sqlcommand object parameters build it.

however don't want execute using sqlcommand, want sqlcommand spit out string can plug ef .sqlquery(...) call.

is there way of doing this, or method of ensuring .sqlquery won't result in injection?

doesn't ef support out of box?

you should able call sqlquery parameters, take care of sql injection etc., sqlcommand does:

var tests = context.database.sqlquery<test>(     @"select id, name tests name={0}", "testname"); 

or..

var tests = context.database.sqlquery<test>(     @"select id, name tests name=@name",      new sqlparameter("@name", "testname"));