tags:

views:

87

answers:

5
Q: 

SQL Table Parameters

Why table params aren't allowed in SQL Server? Is there any solution to this?

Example:

using (SqlCommand myCommand = new SqlCommand("SELECT * FROM @table WHERE USERNAME=@username AND PASSWORD=HASHBYTES('SHA1',
 @password)", myConnection))
    {
        myCommand.Parameters.AddWithValue("@table", table);
        myCommand.Parameters.AddWithValue("@username", user);
        myCommand.Parameters.AddWithValue("@password", pass);

        myConnection.Open();
        SqlDataReader myReader = myCommand.ExecuteReader())
        ...................
    }

Thanks.

A: 

No, you cannot pass the table name as a param.

The best way would be to try using String.Format for the table name.

astander  2009-12-12 13:25:20
see my edit please
TTT  2009-12-12 13:26:58
I didn't change the codce, I changed the question.
TTT  2009-12-12 13:30:34
+1  A: 

If you have to pass a table of values...

Otherwise, what are you trying to do?

Edit: I've got it now. As others mentioned, SQL does not work like that.

gbn  2009-12-12 13:35:07
+3  A: 

You can't paramaterise that part of the SQL. The server needs to know the name of the table to be able to 'prepare' the query, which is done before the parameters are processed.

You might dynamically generate the query, but that may open you up to SQL injection attacks and run-time SQL syntax errors. Also, there is a saving to be had if an SQL statement can be cached by the server - you'll loose that if every query is dynamically generated.

martin clayton  2009-12-12 13:35:12
+1  A: 

Why? Because the benefit of flexibility is minor compared to the nightmare it would create in query optimization and validation.

As a sidenote, even if it was recognised you'd be getting a quoted string in the SQL, not just the table name. Dynamic SQL with heavy validation is the only real way of doing this.

CodeByMoonlight  2009-12-12 14:13:31
A: 

I would try to ilustrate my point of view about this with an example:

If you go to buy a car, you can "parametrize" some thinks: You can change the colour, may be some variations of the engine, you can put an MP3 or not, ... but you cant change the car model. If you change the car model, this is not a parameter, this is another car.

It is the same with sql query, the table is not a parameter is part of the sentence itself, same way that the command is (select, update) .. so you can't do @command from @table. If you change the table, this is another sentence, like the car.

(this is not a technical "because" answer for you question, but a conceptual point of view for better understanding of the techical part that others are posting)

My two cents.

j.a.estevan  2009-12-12 15:13:51

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?