tags:

views:

34

answers:

2
+1  Q: 

C# SqlCommand - cannot use parameters for column names, how to resolve?

Hi, Is there any way how to do that? This does not work:

SqlCommand command = new SqlCommand("SELECT @slot FROM Users WHERE name=@name; ");
prikaz.Parameters.AddWithValue("name", name);
prikaz.Parameters.AddWithValue("slot", slot);

The only thing I can think of is to use SP and declare and set the variable for the column. Seems to me a bit ackward.

+1  A: 

You cannot do this in regular SQL - if you must have configurable column names (or table name, for that matter), you must use dynamic SQL - there is no other way to achieve this.

string sqlCommandStatement =  
   string.Format("SELECT {0} FROM dbo.Users WHERE name=@name", "slot");

and then use the sp_executesql stored proc in SQL Server to execute that SQL command (and specify the other parameters as needed).

Dynamic SQL has its pros and cons - read the ultimate article on The Curse and Blessings of Dynamic SQL expertly written by SQL Server MVP Erland Sommarskog.

marc_s  2010-07-25 18:06:59
The example code you give above doesn't demonstrate dynamic SQL, it just shows the use of the string.Format function. As written it's confusing.
Yellowfog  2010-07-26 05:48:51
@Yellowfog: now take this string that's been formatted and use it in a call to "sp_executesql" and you have your dynamic SQL.....
marc_s  2010-07-26 05:59:51
Well, you have your SQL, but it's not particularly 'dynamic', is my point. As I understand this, it refers to SQL which is constructed on the database side of things, not the webserver side. Or am I unusual in taking the term that way?
Yellowfog  2010-07-26 08:43:22
@Yellowfog: "dynamic SQL" is dynamic, when you "string together" your SQL command and then call `sp_executesql` to execute it - that's all
marc_s  2010-07-26 12:35:02
If you look at the actual reading you cite, below the line "There are two main roads to go, and then there are forks and sub-forks" you'll note that your example falls under 1(ii) whereas 2(ii) is the home of dynamic SQL. This corresponds with my understanding of the term.
Yellowfog  2010-07-26 12:48:56
A: 

As has been mentioned, you cannot parameterise the fundamental query, so you will have to build the query itself at runtime. You should white-list the input of this, to prevent injection attacks, but fundamentally:

// TODO: verify that "slot" is an approved/expected value
SqlCommand command = new SqlCommand("SELECT [" + slot +
           "] FROM Users WHERE name=@name; ")
prikaz.Parameters.AddWithValue("name", name);

This way @name is still parameterised etc.

Marc Gravell  2010-07-25 18:17:41

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?