[英]What SqlDbType should be used when creating a table?
I don't know if this is really needed... but I would like write as robust code as possible, so: 我不知道这是否真的需要......但我想尽可能编写强大的代码,所以:
What SqlDbType
should be used when creating a table? 创建表时应该使用什么
SqlDbType
? SqlDbType.NChar
? SqlDbType.NChar
? Or would there be a problem with a Unicode table name? 或者Unicode表名会有问题吗? Or perhaps one of the
Var
types because the length is unknown? 或者也许是
Var
类型之一,因为长度未知? I'm used to thinking about these types in the context of a database row, not table, so I'm not sure what should be used here. 我习惯在数据库行的上下文中考虑这些类型,而不是表,所以我不确定这里应该使用什么。
EDIT 编辑
For example, a line like: 例如,一行如下:
sqlCommand.Parameters.Add(new SqlParameter(parameterName,SqlDbType.NChar){ Value = value });
for a CREATE TABLE
command. 对于
CREATE TABLE
命令。
You can't parameterize your table name or column names or any other database objects. 您无法参数化表名或列名或任何其他数据库对象。 You can only parameterize your values.
您只能参数化您的值。
You can still using string concatenation it but getting your table name as an input is too risky in my opinion. 您仍然可以使用字符串连接, 但在我看来,将您的表名作为输入是太冒险了。 You should either perform very stringent validation on the table name before putting it into the SQL, or have a white-listed set of valid table names, in order to avoid SQL Injection attacks.
您应该在将表名放入SQL之前对表名执行非常严格的验证,或者具有一组列出白名单的有效表名,以避免SQL注入攻击。
Other than that, parameterized statements is only for DML Statements not DDL statements . 除此之外, 参数化语句仅适用于DML语句而不适用于DDL语句 。
All object names in SQL Server are of sysname
datatype. SQL Server中的所有对象名都是
sysname
数据类型。 Don't know if the SqlDbType contains sysname, but it is functionally identical to nvarchar(128)
, so you can use this. 不知道SqlDbType是否包含sysname,但它在功能上与
nvarchar(128)
相同,因此您可以使用它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.