stackoom
  简体   繁体   中英

Cannot call method on nvarchar - no nvarchar in db - trying to parameterize table names

 原文  2014-07-08 15:46:01       c#/ sql/ sql-server/ tsql/ ado.net

Question

I'm trying to query my database to show relevant information and it was working up until I started using parameters. Now it's telling me I can't call a method on nvarchar and I can't figure out the problem.

I was trying to figure out if it's an error when I do something like this: 

@Parameter.customer_id

But I wasn't sure.

Here is my query line: 

cmd.CommandText = "select Customer.customer_id, Customer.customer_name," +  
                  "@Product.license_start_date, " + p + ".version, " + p + "Details.processor " + 
                  "from Customer " + 
                  "left outer join " + p + 
                  " on Customer.customer_id = " + p + ".customer_id" + 
                  "left outer join " + p + "Details " +
                  "  on " + p + ".customer_id = " + p + "Details.customer_id";
cmd.Parameters.AddWithValue("@Product", ddProducts.SelectedItem.Text);

I used + p + just to make sure that the query was functioning and now I'm trying to get it to work with the parameters

Also a side question, I have tables that would be @Product+Details (eg Computer, ComputerDetails). I want to make it so I can do something like + Product + "Details". Can I do that like this: 

@Product Details

Or do I have to have a special parameter for that?

1 answers

solution1
 1 ACCPTED  2014-07-08 17:27:16

That is not how you use parameter to address security.
You app should know what tables and what columns.

Yes you can use .NET variables for table and column names to build up a statement dynamically but that variable should NEVER be user direct input (they get to key in the table name).

You may have a pull down of used versus new where you build up a query and insert the table name of tableNew or tableUsed. But you can't use a parameter for that.

All the parameter are datatypes. (there is no column or table datatype)
SqlDbType

Lets say the user gets to enter a part description.
That is something you should never pass directly to TSQL.
You put that in a parameter so the user cannot do bad things. 

string commandText = "UPDATE Sales.Store SET Demographics = @demographics "
    + "WHERE CustomerID = @ID;";

using (SqlConnection connection = new SqlConnection(connectionString))
{
    SqlCommand command = new SqlCommand(commandText, connection);
    command.Parameters.Add("@ID", SqlDbType.Int);
    command.Parameters["@ID"].Value = customerID;

    // Use AddWithValue to assign Demographics. 
    // SQL Server will implicitly convert strings into XML.
    command.Parameters.AddWithValue("@demographics", demoXml);

    try
    {
        connection.Open();
        Int32 rowsAffected = command.ExecuteNonQuery();
        Console.WriteLine("RowsAffected: {0}", rowsAffected);
    }
    catch (Exception ex)
    {
        Console.WriteLine(ex.Message);
    }
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Cannot call methods on nvarchar Cannot convert datatype nvarchar to numeric Exception cannot convert nvarchar to int Error “Incorrect syntax near 'nvarchar'.” trying to insert row int a table with stored procedure Cannot convert data type nvarchar to numeric SQL error - Cannot convert nvarchar to decimal Setting nvarchar length to maximum in table valued parameters Adding a nvarchar(MAX) Column to my audit table nVarchar and SqlParameter EF db first Edmx database types nvarchar vs varchar
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM