表名和表字段的SqlParameter C#? [英] Table name and table field on SqlParameter C#?
问题描述
我想知道如何通过SqlCommand的C#的传递表名和表字段名。
I would like to know how to pass the table name and a table field name via SqlCommand on C#.
Tryied做它通过设置SqlCommand时使用的@符号做,但没有工作的方式。任何想法??
Tryied to do it the way it's done by setting the SqlCommand with the @ symbol but didn't work. Any ideas??
推荐答案
如果你担心SQL注入,在<一个href="https://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommandbuilder(v=vs.110).aspx"相对=nofollow> SqlCommandBuilder 类(和的 DbCommandBuilder )有一个名为QuoteIdentifier函数,将正确逃不出你的表名。
If you are worried about SQL injection, the SqlCommandBuilder class (and other DB specific versions of DbCommandBuilder) have a function called QuoteIdentifier that will escape your table name properly.
var builder = new SqlCommandBuilder();
string escTableName = builder.QuoteIdentifier(tableName);
现在,你可以建立你的声明时所使用的转义值,而不必担心注塑但你仍然应该使用参数的任何值。
Now you can used the escaped value when building your statement and not have to worry about injection- but you should still be using parameters for any values.
这篇关于表名和表字段的SqlParameter C#?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!