I am trying to pass a table name as a parameter to my query through SqlCommand
but it doesn't seems to be working. Here is my code;
SqlConnection con = new SqlConnection( "server=.;user=sa;password=12345;database=employee" );
con.Open( );
SqlCommand cmd = new SqlCommand( "drop table @tbName" , con );
cmd.Parameters.AddWithValue( "@tbName" , "SampleTable" );
cmd.ExecuteNonQuery( );
con.Close( );
SqlCommand.Parameters
are supported for Data manipulation language operations not Data definition language operations.
Even if you use DML, you can't parameterize your table names or column names etc.. You can parameterize only your values .
Data manipulation language =
SELECT ... FROM ... WHERE ...
INSERT INTO ... VALUES ...
UPDATE ... SET ... WHERE ...
DELETE FROM ... WHERE ...
Data definition language =
CREATE TABLE ...
DROP TABLE ... ;
ALTER TABLE ... ADD ... INTEGER;
You can't use DROP
statement with parameters.
If you really have to use drop statement, you might need to use string concatenation on your SqlCommand
. (Be aware about SQL Injection ) You might need to take a look at the term called Dynamic SQL
Also use using
statement to dispose your SqlConnection
and SqlCommand
like;
using(SqlConnection con = new SqlConnection(ConnectionString))
using(SqlCommand cmd = con.CreateCommand())
{
cmd.CommandText = "drop table " + "SampleTable";
con.Open()
cmd.ExecuteNonQuery();
}
User Soner Gönül pointed out why it doesn't work, nevertheless you can write stored procedure yourself.
CREATE PROCEDURE dbo.procdroptable
@TABLENAME SYSNAME
AS
BEGIN
SET NOCOUNT ON;
DECLARE @SQL NVARCHAR(MAX)
SELECT @SQL = 'DROP TABLE dbo.' + QUOTENAME(@TABLENAME) + '';
EXEC sp_executesql @SQL;
END
GO
Code from this question .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.