在.NET/SQL中参数化表名称? [英] Parameterise table name in .NET/SQL?
问题描述
正如该主题所暗示的那样,我希望能够使用.NET(实际上与哪种语言无关)和SQL Server来将表名作为参数传递.
As the topic suggests I wish to be able to pass table names as parameters using .NET (doesn't matter which language really) and SQL Server.
我知道如何针对价值进行此操作,例如command.Parameters.AddWithValue("whatever", whatever)在查询中使用@whatever表示参数.问题是我希望对查询的其他部分(例如列名和表名)执行此操作.
I know how to do this for values, e.g. command.Parameters.AddWithValue("whatever", whatever) using @whatever in the query to denote the parameter. The thing is I am in a situation where I wish to be able to do this with other parts of the query such as column and table names.
这不是理想的情况,但这是我必须使用的情况,它并不真正易于SQL注入,因为只有使用代码的人才能设置这些表名,而不是最终用户.但是,这很混乱.
This is not an ideal situation but it's one I have to use, it's not really prone to SQL injection as only someone using the code can set these table names and not the end-user. It is messy however.
那么,我要问的可能吗?
So, is what I am asking possible?
为了清楚地说明有关SQL注入的问题,表名仅根据源情况由源代码传递.由开发人员指定.开发人员无论如何都可以访问数据库层,所以我要问的原因不是为了安全,而是为了使代码更简洁.
To make the point about SQL injection clear, the table names are only passed in by source code, depending on the situation. It is the developer who specifies this. The developer will have access to the database layer anyway, so the reason I am asking is not so much for security but just to make the code cleaner.
推荐答案
我不认为我在所见过的任何SQL方言中都没有见过此功能,但这不是一个领域的专业知识.
I don't think I've ever seen this capability in any SQL dialect I've seen, but it's not an area of expertise.
我建议将字符限制为AZ,az,0-9,'.','_'和''-然后对数据库使用任何适当的括号(例如,SQL Server的[],我相信)将整个内容包起来.然后直接将其放置在SQL中.
I would suggest restricting the characters to A-Z, a-z, 0-9, '.', '_' and ' ' - and then use whatever the appropriate bracketing is for the database (e.g. [] for SQL Server, I believe) to wrap round the whole thing. Then just place it directly in the SQL.
目前尚不清楚您没有SQL注入风险的含义-您是说名称将在源代码中,仅在源代码中吗?如果是这样,我同意这会使事情变得更好.您甚至可能不需要自动进行包围操作,如果,您相信开发人员不会成为犯罪分子(故意或非故意).
It's not entirely clear what you meant about it not being a SQL injection risk - do you mean the names will be in source code and only in source code? If so, I agree that makes things better. You may not even need to do the bracketing automatically, if you trust your developers not to be cretins (deliberately or not).
这篇关于在.NET/SQL中参数化表名称?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
