在.net / SQL Parametrise表名? [英] Parametrise table name in .Net/SQL?
问题描述
为题暗示我希望能够通过表bames为使用。NET(无所谓哪一种语言真的)的参数和SQL Server。
As the topic suggests I wish to be able to pass table bames as parameters using .Net (doesn't matter which language really) and SQL Server.
我知道如何做到这一点的值,即 command.Parameters.AddWithValue(无所谓,等等)使用 @whatever 在查询来表示该参数。事情是我在一个情况下,我希望能够与查询的其它部分,如列和表名做到这一点。
I know how to do this for values, i.e command.Parameters.AddWithValue("whatever", whatever) using @whatever in the query to denote the parameter. The thing is I am in a situation where I wish to be able to do this with other parts of the query such as column and table names.
这是不理想的情况,但它是一个我用,这不是真的容易受到SQL注入的使用code可以设置这些表的名称,而不是最终用户只有一个人。然而,这是混乱的。
This is not an ideal situation but it's one I have to use, It's not really prone to SQL injection as only someone using the code can set these table names and not the end-user. It is messy however.
那么,是什么,我问可能吗?
So, is what I am asking possible?
编辑:使有关SQL注入点清晰,表名是唯一通过由源$ C $ C,视情况而定。这是谁规定这样的开发商。开发者将有机会获得到数据库层,无论如何,所以我问其原因,与其说是为了安全,但只是为了让code清洁。
to make the point about SQL injection clear, the table names are only passed in by source code, depending on the situation. It is the developer who specifies this. The developer will have access to the database layer anyway, so the reason I am asking is not so much for security but just to make the code cleaner.
推荐答案
我不的认为的我见过的任何SQL方言我已经看到了这个能力,但它不是一个地区的专业知识。
I don't think I've ever seen this capability in any SQL dialect I've seen, but it's not an area of expertise.
我会建议限制字符包括AZ,az,0-9,'_'和'''' - 然后使用任何适当的包围是数据库(例如:[]为SQL Server,我相信)包圆整的事情。然后,只需直接将其放置在SQL。
I would suggest restricting the characters to A-Z, a-z, 0-9, '.', '_' and ' ' - and then use whatever the appropriate bracketing is for the database (e.g. [] for SQL Server, I believe) to wrap round the whole thing. Then just place it directly in the SQL.
这不是完全清楚你的意思它不是一个SQL注入风险 - 你的意思的名字将在源$ C $ c和只在源$ C $ C?如果是这样,我认为,让事情变得更好。你甚至不需要做自动包围曝光,如果的你信任你的开发人员不被白痴(有意或无意)。
It's not entirely clear what you meant about it not being a SQL injection risk - do you mean the names will be in source code and only in source code? If so, I agree that makes things better. You may not even need to do the bracketing automatically, if you trust your developers not to be cretins (deliberately or not).
这篇关于在.net / SQL Parametrise表名?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
