问题
How to pass a column name value as a SQL argument using parameter placeholders ?
The goal is having this working:
var sql = "SELECT * FROM Condos WHERE @0 LIKE @1";
var sqlData = db.Query(sql,choice,"%"+searchString+"%");
choice is a variable that will store the column name
@0 is a column name (and I don't succeed to pass it as an argument)
@1 is a search string (and I have no problem with it)
Have read and tried a lot of things:
Below one doesn't throw any error but doesn't bring any data
var sql = "SELECT * FROM Condos WHERE @0 LIKE @1";
var sqlData = db.Query(sql,choice,"%"+searchString+"%");
Below one throws Column name not valid = '@0'
var sql = "SELECT * FROM Condos WHERE [@0] LIKE @1"
var sqlData = db.Query(sql,choice,"%"+searchString+"%");
Below one throws Column name not valid = 'choice'
var sql "SELECT * FROM Condos WHERE choice LIKE @0");
var sqlData = db.Query(sql,"%"+searchString+"%");
Below one throws Must declare scalar variable "@choice"
var sql "SELECT * FROM Condos WHERE @choice LIKE @0");
var sqlData = db.Query(sql,"%"+searchString+"%");
Below one doesn't throw any error but doesn't bring any data
var sql = "SELECT * FROM Condos WHERE '@choice' LIKE @0";
var sqlData = db.Query(sql,"%"+searchString+"%");
Below one doesn't throw any error but doesn't bring any data
var sql = "SELECT * FROM Condos WHERE '@choice' LIKE @0";
var sqlData = db.Query(sql,"%"+searchString+"%");
Below one doesn't throw any error but doesn't bring any data
var sql = "SELECT * FROM Condos WHERE '"+choice+"' LIKE @0";
var sqlData = db.Query(sql,"%"+searchString+"%");
Below one: BIG CRASH
var sql = "SELECT * FROM Condos WHERE '"+@choice+"' LIKE @0";
var sqlData = db.Query(sql,"%"+searchString+"%");
Below one throws Column name not valid = 'NameShort'
This is precisely the correct column name
var sql = "SELECT * FROM Condos WHERE ['"+choice+"'] LIKE @0";
var sqlData = db.Query(sql,"%"+searchString+"%");
Below one: BIG CRASH
var sql = "SELECT * FROM Condos WHERE ['"+@choice+"'] LIKE @0";
var sqlData = db.Query(sql,"%"+searchString+"%");
HELP !!!!!!!!!!!!!!
回答1:
The short answer is that you can't; parameters are only supported for values, not for column names.
You either have to fall back on direct text insertion as Richard has said (whether this happens in code or via the use of the SQL Server exec() function), or use some kind of a library (like LINQ) that lets you construct queries dynamically and then converts that into a text representation.
If you go the direct text insertion route, be very sure that you are not allowing direct user input to be inserted; do some kind of translation yourself to avoid SQL Injection attacks.
回答2:
I'm looking at what you've tried, and you've just left out the obvious one:
var sql = "SELECT * FROM Condos WHERE " + choice + " LIKE @1";
var sqlData = db.Query(sql,choice,"%"+searchString+"%");
The only reason you will need to escape the column name is when it is a reserved word, such as Order. In that case, you will need to use the database-specific identifier escape character.
For example, MySQL:
var sql = "SELECT * FROM Condos WHERE `" + choice + "` LIKE @1";
var sqlData = db.Query(sql,choice,"%"+searchString+"%");
SQL Server
var sql = "SELECT * FROM Condos WHERE [" + choice + "] LIKE @1";
var sqlData = db.Query(sql,choice,"%"+searchString+"%");
来源:https://stackoverflow.com/questions/12537629/how-to-pass-a-column-name-value-as-sql-argument-using-placeholders