[英]I need to get the Dataset from SQL from Table Valued Function using code C# in visual studio
[英]I need to create a sql server database table using visual studio(c# language) . But the name of the table has to be an input from the user
con1.Open();
cmd = new SqlCommand("create table [dbo.][" + textBox2.Text + "](sno int primary key identity(1,1),[Week] [int] not null ,Date nvarchar(30) not null,Time nvarchar(30) not null,Monday_1st_half nvarchar(20),Monday_2nd_half nvarchar(20),Tuesday_1st_half nvarchar(20),Tuesday_2nd_half nvarchar(20),Wednesday_1st_half nvarchar(20),Wednesday_2nd_half nvarchar(20),Thursday_1st_half nvarchar(20),Thursday_2nd_half nvarchar(20),Friday_1st_half nvarchar(20),Friday_2nd_half nvarchar(20),Saturday_1st_half nvarchar(20),Saturday_2nd_half nvarchar(20),Sunday_1st_half nvarchar(20),Sunday_2nd_half nvarchar(20))", con1);
cmd.ExecuteNonQuery();
con1.Close();
如果我为表提供硬编码名称而不是textbox.text值,则此查询有效,将创建一个表。 但是,当我使用此代码时,它会创建一个名为“dbo”的表。 如果我从查询中删除“[dbo。]”,则会显示错误消息“对象丢失”。 有人可以帮我吗?。
这是一个更好的方法来做到这一点。 首先创建以下存储过程:
CREATE PROC dbo.MakeUserTable(@Tablename as SYSNAME) As
DECLARE @CleanName As SYSNAME;
SET @CleanName = QUOTENAME(@Tablename, '[');
DECLARE @sql As NVARCHAR(MAX);
SELECT @sql = 'create table [dbo].' + @CleanName + '(sno int primary key identity(1,1),[Week] [int] not null ,Date nvarchar(30) not null,Time nvarchar(30) not null,Monday_1st_half nvarchar(20),Monday_2nd_half nvarchar(20),Tuesday_1st_half nvarchar(20),Tuesday_2nd_half nvarchar(20),Wednesday_1st_half nvarchar(20),Wednesday_2nd_half nvarchar(20),Thursday_1st_half nvarchar(20),Thursday_2nd_half nvarchar(20),Friday_1st_half nvarchar(20),Friday_2nd_half nvarchar(20),Saturday_1st_half nvarchar(20),Saturday_2nd_half nvarchar(20),Sunday_1st_half nvarchar(20),Sunday_2nd_half nvarchar(20));'
PRINT 'Executing "'+@sql+'"';
EXEC(@sql);
现在更改您的客户端代码以执行此操作,并将tablename作为参数传递。
我不能100%保证它不受SQL注入攻击的影响,但是如果你必须接受用户的表名,这就像你可以获得的那样安全。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.