SqlParameter does not allows Table name - other options without sql injection attack?

前端未结

关注

 3  396

清酒与你 2020-11-30 11:01

I got a runtime error saying \"Must declare the table variable \"@parmTableName\". Meaning having table name as sql parameter in the sql-statement is not allow

3条回答

孤独总比滥情好 (楼主)

2020-11-30 11:17

As others have already pointed out that you can't use Table Name and Fields in Sql Parameter, one thing that you can try is to escape table name using SqlCommandBuilder, like:

string tableName = "YourTableName";
var builder = new SqlCommandBuilder();
string escapedTableName = builder.QuoteIdentifier(tableName);

using (var dbCommand = dbConnection.CreateCommand())
{
    sqlAsk = "";
    sqlAsk += " DELETE FROM " + escapedTableName; //concatenate here
    sqlAsk += " WHERE ImportedFlag = 'F' "; 

    dbCommand.Parameters.Clear();

    dbConnection.Open();

    rowAffected = dbCommand.ExecuteNonQuery();
}

0 讨论(0)

查看其它3个回答