在C＃中参数化ALTER / DROP TABLE OdbcCommand

Question

I am trying to convert the SQL statements in my code from concatenated strings to parameterized queries, but I can not make it work for DROP TABLE and ALTER TABLE like these: 我正在尝试将代码中的SQL语句从连接字符串转换为参数化查询，但无法使之适用于DROP TABLE和ALTER TABLE如下所示：

using (OdbcCommand delCmd = new OdbcCommand($"DROP TABLE IF EXISTS ?", dbConnection))
{
    delCmd.Parameters.Add(new OdbcParameter("?", OdbcType.NVarChar) { Value = tableName });
    delCmd.ExecuteNonQuery();
}


using (OdbcCommand delCmd = new OdbcCommand($"ALTER TABLE ? DROP COLUMN ?", dbConnection))
{
    delCmd.Parameters.Add(new OdbcParameter("?", OdbcType.NVarChar) { Value = tableName });
    delCmd.Parameters.Add(new OdbcParameter("?", OdbcType.NVarChar) { Value = columnName });
    delCmd.ExecuteNonQuery();
}

I have tried adding [] or '' to either the query string or the parameter, but I never got it to work. 我尝试将[]或''添加到查询字符串或参数中，但是我从未使它起作用。

I get run time error: 我得到运行时错误：

ERROR [42000] [Microsoft][ODBC Driver 13 for SQL Server][SQL Server]Incorrect syntax near '@P1'. 错误[42000] [Microsoft] [SQL Server的ODBC驱动程序13] [SQL Server]“ @ P1”附近的语法不正确。 ` `

Any suggestions as to how I can get these queries to work would be a big help! 关于如何使这些查询生效的任何建议将对您大有帮助！

Answer 1

You can't provide table, field names as parameters ; 您不能提供表，字段名称作为参数； but you can use formatting or string interpolation : 但是您可以使用格式设置或字符串插值 ：

 //TODO: validate tableName and columnName here 
 //since formatting / string interpolation prone to SQL injection
 // e.g. 
 // if (!Regex.IsMatch(tableName, "^[A-Za-z][A-Za-z0-9_]*$")) {/* wrong table */}

 using (OdbcCommand delCmd = new OdbcCommand(
   $"ALTER TABLE {tableName} DROP COLUMN {columnName}", 
     dbConnection)) 
 { 
     delCmd.ExecuteNonQuery();
 }

在C＃中参数化ALTER / DROP TABLE OdbcCommand

问题描述

1 个解决方案

解决方案1
1 已采纳 2019-07-29 07:57:24

在C＃中参数化ALTER / DROP TABLE OdbcCommand

问题描述

1 个解决方案

解决方案1 1 已采纳 2019-07-29 07:57:24

解决方案1
1 已采纳 2019-07-29 07:57:24