表名和表字段的SqlParameter C＃？ [英] Table name and table field on SqlParameter C#?

问题描述

我想知道如何通过SqlCommand的C＃的传递表名和表字段名。

I would like to know how to pass the table name and a table field name via SqlCommand on C#.

Tryied做它通过设置SqlCommand时使用的@符号做，但没有工作的方式。任何想法??

Tryied to do it the way it's done by setting the SqlCommand with the @ symbol but didn't work. Any ideas??

推荐答案

如果你担心SQL注入，在<一个href="https://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommandbuilder(v=vs.110).aspx"相对=nofollow> SqlCommandBuilder 类（和的 DbCommandBuilder ）有一个名为QuoteIdentifier函数，将正确逃不出你的表名。

If you are worried about SQL injection, the SqlCommandBuilder class (and other DB specific versions of DbCommandBuilder) have a function called QuoteIdentifier that will escape your table name properly.

var builder = new SqlCommandBuilder();
string escTableName = builder.QuoteIdentifier(tableName);

现在，你可以建立你的声明时所使用的转义值，而不必担心注塑但你仍然应该使用参数的任何值。

Now you can used the escaped value when building your statement and not have to worry about injection- but you should still be using parameters for any values.

这篇关于表名和表字段的SqlParameter C＃？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！