Parameterized SQL in FROM clause
https://stackoverflow.com/questions/10638990
-
09-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian문제
Using OleDbCommand. I can add SQL parameters and thus keep the query safe from SQL-injection, but is there a way to do this within the FROM cluase.See below
THIS WORKS
query = "Select * From Company Where @param = 1";
OleDbCommand Command = new OleDbCommand(query, sqlConnStr);
DataTable Table = new DataTable();
DataSet dataSet = new DataSet();
Table = null;
//Add Parameters
Command.Parameters.AddWithValue("param", "ID");
Command.ExecuteNonQuery();
adapter.SelectCommand = Command;
adapter.Fill(dataSet);
Table = dataSet.Tables[0];
it returns a nice table with the wonderful row where id = 1
BUT
I am looking for something like this, note the FROM CLAUSE
query = "Select * From @tableName Where @param = 1";
OleDbCommand Command = new OleDbCommand(query, sqlConnStr);
DataTable Table = new DataTable();
DataSet dataSet = new DataSet();
Table = null;
//Add Parameters
Command.Parameters.AddWithValue("param", "ID");
Command.Parameters.AddWithValue("tableName", "Company");
Command.ExecuteNonQuery();
adapter.SelectCommand = Command;
adapter.Fill(dataSet);
Table = dataSet.Tables[0];
The DBMS keeps returning with "Error in From clause"
PS everything is spelled correctly - I triple checked
To All - Thanks but Alas i shall stick to just Parameterized SQL. I don't like Dynamic SQL One BIT
해결책
You'd have to execute a dynamically concatenated SQL string, which unfortunately would compromise whatever benefits parametrized SQL had afforded you to begin with. See this post.
DECLARE @SQL varchar(250)
SELECT @SQL = 'Select * From ' + @TableName + ' Where ' + @param + ' = 1'
Exec(@SQL)
Not advisable, if you can predetermine the table name through some other means instead.
다른 팁
SQL doesn't support the FROM clause to be parameterized. You can't do it the way you are trying. Probably you can do like this:
query = "Select * From" + tableName + "Where @param = 1";
You cannot use paramaterised object names. You would have to do somthing like
string.format("SELECT * FROM [{0}] WHERE [{1}] = 1", tableName, columnName);
DO SO AT YOUR OWN PERIL
It could be worth checking for square brackets in the input, this is the only way I can currently think off to "Inject" the above example. I am no hacker though and not versed in sql injection. Something like this might work:
if (tableName.Contains("]"))
{
throw new ArgumentException();
}
