C# SqlCommand - cannot use parameters for column names, how to resolve?

c# sql sql-server-2005

As has been mentioned, you cannot parameterise the fundamental query, so you will have to build the query itself at runtime. You should white-list the input of this, to prevent injection attacks, but fundamentally:

// TODO: verify that "slot" is an approved/expected value
SqlCommand command = new SqlCommand("SELECT [" + slot +
           "] FROM Users WHERE name=@name; ")
prikaz.Parameters.AddWithValue("name", name);

This way @name is still parameterised etc.


You cannot do this in regular SQL - if you must have configurable column names (or table name, for that matter), you must use dynamic SQL - there is no other way to achieve this.

string sqlCommandStatement =  
   string.Format("SELECT {0} FROM dbo.Users WHERE name=@name", "slot");

and then use the sp_executesql stored proc in SQL Server to execute that SQL command (and specify the other parameters as needed).

Dynamic SQL has its pros and cons - read the ultimate article on The Curse and Blessings of Dynamic SQL expertly written by SQL Server MVP Erland Sommarskog.

Related

Multiple UI Threads - Winforms
Swift override function in extension
Calling Perl script from PHP and passing in variables, while also using variablized perl script name
How to initialize `std::function` with a member-function?
How do I perform iterator computations over iterators of Results without collecting to a temporary vector?
Installation of PyCairo on Windows
Convert inline assembly code to C++
Unary minus and floating point number in OCaml
Firebase Cloud Messaging different keys
Extract columns from a file based on header selected from another file
Does software compilation continue even if I close the lid of my MacBook Pro (7,1)?
Create custom keyboard shortcuts in GBoard in iOS