我正在尝试使用参数化查询,它采用 2 个列名和一个表名并从 sql server 数据库中检索数据。
问题是无法对表名进行参数化,所以我找到了一个使用 sqlcommandbuilder.quoteIdentifer(tablename) 的解决方案,这个位有效......但显然它们不能很好地结合在一起。
我得到包含一个单词的异常,它是列名 如果我手动输入列名,它就可以工作。
这里有什么问题吗?
public List<ItemsWithDescription> GetItemsFromDB(string name, string desc, string tableName)
{
List<ItemsWithDescription> items = new List<ItemsWithDescription>();
try
{
Status = 1;
SqlCommandBuilder builder = new SqlCommandBuilder();
cmd = new SqlCommand("Select @Name, @Desc from "+ builder.QuoteIdentifier(tableName), conn);
cmd.Parameters.AddWithValue("@Name", name);
cmd.Parameters.AddWithValue("@Desc", desc);
using (SqlDataReader dr = cmd.ExecuteReader())
{
while (dr.Read())
{
items.Add(new ItemsWithDescription(dr[name].ToString(), dr[name].ToString() + " | " + dr[desc].ToString()));
}
}
items.Sort((x, y) => string.Compare(x.Item, y.Item));
}
catch
{
Status = -1;
}
return items;
}
编辑: 这行得通,但我更想知道为什么两者不能一起使用:
cmd = new SqlCommand("Select" +
builder.QuoteIdentifier(name) + "," +
builder.QuoteIdentifier(desc) + "from " +
builder.QuoteIdentifier(tableName), conn);
最佳答案
您不能参数化列名。实际上,您不能在常规 SQL 中执行此操作。
你需要的是Dynamic SQL .
If you follow the various newsgroups on Microsoft SQL Server, you often see people asking why they can't do:
SELECT * FROM @tablename
SELECT @colname FROM tbl
SELECT * FROM tbl WHERE x IN (@list)
For all three examples you can expect someone to answer Use dynamic SQL and give a quick example on how to do it. Unfortunately, for all three examples above, dynamic SQL is a poor solution. On the other hand, there are situations where dynamic SQL is the best or only way to go.
也看看Table-Valued Parameters如果您使用 SQL Server 2008 及更高版本。
关于c# - 使用参数化参数 WITH sqlcommandbuilder [无数据适配器],我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/19947412/