Table name and table field on SqlParameter C#?

c# .net sql

Solution 1:

If you are worried about SQL injection, the SqlCommandBuilder class (and other DB specific versions of DbCommandBuilder) have a function called QuoteIdentifier that will escape your table name properly.

var builder = new SqlCommandBuilder();
string escTableName = builder.QuoteIdentifier(tableName);

Now you can used the escaped value when building your statement and not have to worry about injection- but you should still be using parameters for any values.

Solution 2:

I guess you are trying to execute a sql statement like

select @field from @table

but that will not work. Sql can't have parameters on fieldnames or tablenames, just on values.

If my guess wasn't correct, please extend your question.

Related

What's the penalty for Synthetic methods?
Android Studio - Cannot resolve symbol 'firebase'
What is the best way to declare on UI component in android with Kotlin?
How to use a bash script variable with sed [duplicate]
MySQL: Inner join vs Where [duplicate]
'let' vs 'var' in javascript for loops, does it mean that all the for loops using the 'var i =0' should actually be 'let i =0' instead?
Strong typedefs [duplicate]
adding regression line per group with ggplot2
What if script tag has both "src" and inline script? [duplicate]
Is there a JavaScript way to do file_get_contents()?
How to sort JTable in shortest way?
In GNU C inline asm, what are the size-override modifiers for xmm/ymm/zmm for a single operand?