如何从表名指定为 SqlParameter 的表中进行选择？

发布于 2024-12-06 10:24:29 字数 720 浏览 2 评论 0原文

我正在尝试执行动态 sql 选择，我使用参数从表中进行选择。

SELECT null FROM @TableName

但是我收到错误必须声明表变量@TableName。我怀疑这是因为我正在使用变量从表中进行选择。我以前不需要这样做。

List<SqlParameter> sqlParams = new List<SqlParameter>()
{ 
    new SqlParameter("TableName", "testtable"),
    new SqlParameter("FieldName", "testfield"),
    new SqlParameter("Find", "testfind"),
};
string sqlSelect = "SELECT null FROM @TableName 
                    WHERE @FieldName LIKE '%' + @Find + '%' ";

DataTable dtSelect = SqlHelper.ExecuteDataset(sqlConn, CommandType.Text, 
                        sqlSelect, 30, sqlParams.ToArray()).Tables[0]; 
//30 = timeout

如何使用动态 sql 执行上述操作？（请不要存储过程）

原文

I am trying to perform dynamic sql select where I am selecting from a table using a parameter.

SELECT null FROM @TableName

However I am getting error must declare table variable @TableName. I suspect this is because I am selecting from a table using a variable. I have not needed to do this before.

List<SqlParameter> sqlParams = new List<SqlParameter>()
{ 
    new SqlParameter("TableName", "testtable"),
    new SqlParameter("FieldName", "testfield"),
    new SqlParameter("Find", "testfind"),
};
string sqlSelect = "SELECT null FROM @TableName 
                    WHERE @FieldName LIKE '%' + @Find + '%' ";

DataTable dtSelect = SqlHelper.ExecuteDataset(sqlConn, CommandType.Text, 
                        sqlSelect, 30, sqlParams.ToArray()).Tables[0]; 
//30 = timeout

How can I perform the above using dynamic sql? (no stored procedures please)

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

装纯掩盖桑 2024-12-13 10:24:29

您不能对表名和列名等参数使用参数。对于那些您可以有一个可能值的白名单，然后在构建 SQL 查询时使用字符串连接。

回复收藏 0 原文

追我者格杀勿论 2024-12-13 10:24:29

您不能使用这样的参数，因此您必须将查询构建为字符串。您可以在 SQL 中执行此操作，但也可以仅在 C# 代码中创建字符串。

确保表名称和字段名称是安全且可信的值，并且不是直接来自不安全的来源（例如 Web 请求）。

string tableName = "testtable";
string fieldName = "testfield";

List<SqlParameter> sqlParams = new List<SqlParameter>() { 
  new SqlParameter("Find", "testfind"),
};
string sqlSelect =
  "SELECT null " +
  "FROM " + tableName + " " +
  "WHERE " + fieldName + " LIKE '%' + @Find + '%' ";

You can't use parameters like that, so you have to build the query as a string. You could do that in SQL, but you can also just create the string in the C# code.

Make sure that the table name and field name are safe and trusted values, and doesn't come directly from an unsafe source like a web request.

string tableName = "testtable";
string fieldName = "testfield";

List<SqlParameter> sqlParams = new List<SqlParameter>() { 
  new SqlParameter("Find", "testfind"),
};
string sqlSelect =
  "SELECT null " +
  "FROM " + tableName + " " +
  "WHERE " + fieldName + " LIKE '%' + @Find + '%' ";

回复收藏 0 原文

一曲琵琶半遮面シ 2024-12-13 10:24:29

    private DataTable ExecuteDynamic(string TableName,string FieldName, string Find)
    {

    string sqlSelect = "SELECT * FROM " + TableName +  
                        " WHERE " + FieldName + " LIKE '%'" + Find + "'%' ";
    using (connection = new SqlConnection(Strcon))
        connection.Open();
    {
        using (cmd = new SqlCommand(sqlSelect, connection))
        {
            cmd.CommandType = CommandType.Text;
            cmd.CommandTimeout = 60;
            adpt = new SqlDataAdapter(cmd);
            dt = new DataTable();
            adpt.Fill(dt);
            return (dt);
        }
    }
}

    private DataTable ExecuteDynamic(string TableName,string FieldName, string Find)
    {

    string sqlSelect = "SELECT * FROM " + TableName +  
                        " WHERE " + FieldName + " LIKE '%'" + Find + "'%' ";
    using (connection = new SqlConnection(Strcon))
        connection.Open();
    {
        using (cmd = new SqlCommand(sqlSelect, connection))
        {
            cmd.CommandType = CommandType.Text;
            cmd.CommandTimeout = 60;
            adpt = new SqlDataAdapter(cmd);
            dt = new DataTable();
            adpt.Fill(dt);
            return (dt);
        }
    }
}

回复收藏 0 原文

~没有更多了~