C#Alter Table并以编程方式添加一列ASP.Net和SQL Server
[英]C# Alter Table and Add a column programmatically ASP.Net & SQL Server
问题描述
I have been trying to add a column programmatically in ASP.NET to modify the tables in SQL Server. 
我一直在尝试在ASP.NET中以编程方式添加列来修改SQL Server中的表。
Please see the following code: 请参阅以下代码:
string suppliernotxt = supplieridlist[1].ToString();
//SqlCommand cmd2 = new SqlCommand("ALTER TABLE [ProductNormalDB] ADD suppliernotxt nvarchar(20) NULL", con);
SqlCommand cmd2 = new SqlCommand("ALTER TABLE ProductNormalDB ADD @supplierlist nvarchar(20) NULL", con);
cmd2.Parameters.AddWithValue("@supplierlist", suppliernotxt);
//cmd2.Parameters.AddWithValue("@supplierlist", suppliernotxt.ToString());
//cmd2.Parameters["@supplierlist"].Value = supplieridlist[x];
cmd2.ExecuteNonQuery();
supplieridlist is an array that acquires all the column names to add into the SQL Server database. supplieridlist是一个数组,它获取要添加到SQL Server数据库中的所有列名。 For some reason the parametrized method is not working and shows the following error: 由于某种原因,参数化方法不起作用并显示以下错误:
Incorrect syntax near '@supplierlist'.
The basic idea is to have a user select from a check box the name of the suppliers, based on the selected number of suppliers the array will create the supplier names for ex. 基本思路是让用户从复选框中选择供应商的名称,根据所选的供应商数量,阵列将为ex创建供应商名称。 if we selected 3 suppliers, the array will save "Supplier1" , "Supplier2" , "Supplier3" and then the SqlCommand is supposed to alter the table and add the new columns. 如果我们选择了3个供应商,阵列将保存"Supplier1" , "Supplier2" , "Supplier3" ,然后SqlCommand应该更改表并添加新列。
1 个解决方案
解决方案1
8 已采纳 2013-12-21 13:26:41
You cannot use parameters to express the name of columns. 您不能使用参数来表示列的名称。
Parameters could only be used to express values for WHERE clause or for INSERT or UPDATE statements. 参数只能用于表示WHERE子句或INSERT或UPDATE语句的值。
You could use string concatenation for your query text, passing the string value to a stored procedure or use some form of dynamic sql. 您可以对查询文本使用字符串连接,将字符串值传递给存储过程或使用某种形式的动态sql。
Please be very carefull with these kind of approaches because if you don't keep absolute control on the values passed to your code you will be exposed to Sql Injection. 请谨慎使用这些方法,因为如果您不对传递给代码的值保持绝对控制,那么您将接触到Sql Injection。
Adding as an example of Dynamic SQL execution, but still vulnerable to SQL Injection 添加作为动态SQL执行的示例,但仍然容易受到SQL注入攻击
string suppliernotxt = supplieridlist[1].ToString();
string execSQL = "DECLARE @sup nvarchar(15); " +
"SET @sup = '" + suppliernotxt + "'; " +
"EXEC ('ALTER TABLE ProductNormalDB ADD ' + @sup + ' nvarchar(20) NULL')"
SqlCommand cmd2 = new SqlCommand(execSQL, con);
cmd2.ExecuteNonQuery();
As you can see, even with Dynamic SQL there is nothing that prevent an SQL Injection attack passing via the suppliernotxt variable 正如您所看到的,即使使用动态SQL,也没有任何东西阻止SQL注入攻击通过suppliernotxt变量传递
EDIT As explained in the comments below from @RBarryYoung, a good improvement on the SQL Injection problem for this case of dynamic sql could be the usage of the QUOTENAME function to obtain an Unicode string with the required delimiters around the input string 编辑正如下面@RBarryYoung的评论中所解释的,对于这种动态sql情况,SQL注入问题的一个很好的改进可能是使用QUOTENAME函数来获取带有输入字符串周围所需分隔符的Unicode字符串
string execSQL = "DECLARE @sup nvarchar(15); " +
"SET @sup = QUOTENAME('" + suppliernotxt + "'); " +
"EXEC ('ALTER TABLE ProductNormalDB ADD ' + @sup + ' nvarchar(20) NULL')"
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.