问题
I am trying to pass a table name as a parameter to my query through SqlCommand
but it doesn't seems to be working.
Here is my code;
SqlConnection con = new SqlConnection( "server=.;user=sa;password=12345;database=employee" );
con.Open( );
SqlCommand cmd = new SqlCommand( "drop table @tbName" , con );
cmd.Parameters.AddWithValue( "@tbName" , "SampleTable" );
cmd.ExecuteNonQuery( );
con.Close( );
回答1:
SqlCommand.Parameters are supported for Data manipulation language operations not Data definition language operations.
Even if you use DML, you can't parameterize your table names or column names etc.. You can parameterize only your values.
Data manipulation language =
SELECT ... FROM ... WHERE ...
INSERT INTO ... VALUES ...
UPDATE ... SET ... WHERE ...
DELETE FROM ... WHERE ...
Data definition language =
CREATE TABLE ...
DROP TABLE ... ;
ALTER TABLE ... ADD ... INTEGER;
You can't use DROP statement with parameters.
If you really have to use drop statement, you might need to use string concatenation on your SqlCommand
. (Be aware about SQL Injection) You might need to take a look at the term called Dynamic SQL
Also use using statement to dispose your SqlConnection
and SqlCommand
like;
using(SqlConnection con = new SqlConnection(ConnectionString))
using(SqlCommand cmd = con.CreateCommand())
{
cmd.CommandText = "drop table " + "SampleTable";
con.Open()
cmd.ExecuteNonQuery();
}
回答2:
User Soner Gönül pointed out why it doesn't work, nevertheless you can write stored procedure yourself.
CREATE PROCEDURE dbo.procdroptable
@TABLENAME SYSNAME
AS
BEGIN
SET NOCOUNT ON;
DECLARE @SQL NVARCHAR(MAX)
SELECT @SQL = 'DROP TABLE dbo.' + QUOTENAME(@TABLENAME) + '';
EXEC sp_executesql @SQL;
END
GO
Code from this question.
来源:https://stackoverflow.com/questions/23357481/how-can-i-pass-a-table-name-to-sqlcommand