堆栈内存溢出
  简体   繁体   English

更改表 SqlCommand

[英]Alter table SqlCommand

 原文  2013-03-03 13:55:11       c#/ sql

问题描述

I am trying to change the datatype of one of the columns in a table using SqlCommand with parameters, but it doesn't work.我正在尝试使用带参数的 SqlCommand 更改表中一列的数据类型,但它不起作用。 Here is my code:这是我的代码:

    Dictionary<string,string> dict = new Dictionary<string,string>();
    dict.Add("@TableName",TableColumnArray[0].ToString( ));
    dict.Add("@ColumnName",TableColumnArray[1].ToString( ));
    DBSql.ExecSQLStatement( "ALTER TABLE @TableName ALTER COLUMN @ColumnName varchar(MAX)",dict,connectionStringName);

    public static void ExecSQLStatement (string strsql,Dictionary<string,string> dict,string  connectionStringName)
    {
        SqlConnection con = CreateSqlConnectionStr(connectionStringName);
        SqlCommand cmd = new SqlCommand(strsql,con);
        foreach(string dictKey in dict.Keys)
        {
            cmd.Parameters.Add(new SqlParameter(dictKey,dict[dictKey]));
        }
        con.Open( );
        cmd.ExecuteNonQuery( );
        con.Close( );
    }

But the code keeps throwing an error:"Incorrect syntax near @TableName".但是代码不断抛出错误:“@TableName 附近的语法不正确”。 I cannot find the solution to this problem.我找不到这个问题的解决方案。 I could try to use stored procedures, but I really want to know why the code is not working.我可以尝试使用存储过程,但我真的很想知道为什么代码不起作用。 I usually use SqlCommand with parameters for select,insert statements, but it seems it doesnt work with alter statements?我通常将 SqlCommand 与 select、insert 语句的参数一起使用,但它似乎不适用于 alter 语句?

3 个解决方案

解决方案1
 6  2013-03-03 13:58:37

because by default, tableName and column names CANNOT BE PARAMETERIZED .因为默认情况下, tableName 和列名不能被参数化 One way you can do to avoid sql injection is to create a User Define Function that check if the tableName is valid or not.避免 sql 注入的一种方法是创建一个用户定义函数来检查 tableName 是否有效。 Then concatenate the name on the string.然后连接字符串上的名称。 eg,例如,

Here's the UDF这是 UDF

private bool IsValidColumnNameOrTableName(string tablecolumnName)
{
    // other codes
    return returnValue;
}

解决方案2
 1  2013-03-03 13:59:08

You cannot use parameters in DDL statements.不能在 DDL 语句中使用参数。 You should create the statement string dynamically:您应该动态创建语句字符串:

DBSql.ExecSQLStatement(
    "ALTER TABLE " + TableColumnArray[0] + " ALTER COLUMN " + TableColumnArray[1] + " varchar(MAX)",
    dict,connectionStringName);

解决方案3
 0  2013-03-03 13:59:14

you need specify table name and column name exactly:您需要准确指定表名和列名:

"ALTER TABLE " + TableColumnArray[0].ToString( ) + " ALTER COLUMN " + TableColumnArray[1].ToString( ) + "varchar(MAX)"

sql server does not allow syntax where table names and column names are variable values sql server 不允许表名和列名是变量值的语法

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 SQLCommand,创建表 - SQLCommand, create table SqlCommand无法创建表 - SqlCommand cannot create table 从sqlcommand更新表记录 - Update table record from sqlcommand SqlCommand.ExecuteNonQuery锁定表 - SqlCommand.ExecuteNonQuery locks the table SqlCommand-选择多行并将其插入表 - SqlCommand - Select multiple rows and INSERT them into table 带参数的SQLCommand不再更新我的表 - SQLCommand with Parameter no longer updates my table 如何将表名传递给SqlCommand? - How can I Pass a Table Name to SqlCommand? 从Datagridview到SQL DB表的SqlCommand INSERT INTO - SqlCommand INSERT INTO from datagridview to SQL DB table 使用 SqlCommand.ExecuteNonQuery() 创建 #temp 表 - Creating #temp table using SqlCommand.ExecuteNonQuery() 带有多个结果表的SqlCommand - SqlCommand with more than one result table
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM