Using variables in SQL queries in asp.net (C#)

后端 未结 4 1846
长情又很酷
长情又很酷 2021-01-05 13:47

I have an SQL query of this form

string cmdText = \"Select * from \" + searchTable 
  + \"WHERE \" + searchTable 
  + \"Name =\' \" +   searchValue + \"\'\";         


        
相关标签:
4条回答
  • 2021-01-05 14:06

    You can put (and should!) parameters into your SQL queries for the values in e.g. your WHERE clause - but you cannot parametrize stuff like your table name.

    So I'd rewrite that query to be:

    SELECT (list of columns)
    FROM dbo.Actor
    WHERE ActorName = @ActorName
    

    and then pass in just the value for @ActorName.

    If you need to do the same thing for directors, you'd have to have a second query

    SELECT (list of columns)
    FROM dbo.Directors
    WHERE DirectorName = @DirectorName
    

    Using parameters like this

    • enhances security (prohibits SQL injection attacks!)
    • enhances performance: the query plan for that query can be cached and reused for second, third runs

    PS: the original problem in your setup is this: you don't have any space between the first occurence of your table name and the WHERE clause - thus you would get:

    SELECT * FROM ActorWHERE ActorName ='.....'
    

    If you really insist on concatenating together your SQL statement (I would NOT recommend it!), then you need to put a space between your table name and your WHERE !

    Update: some resources for learning about parametrized queries in ADO.NET:

    • The C# Station ADO.NET Tutorial / Lesson 06: Adding Parameters to Commands
    • Using Parameterized Queries with the SqlDataSource
    0 讨论(0)
  • 2021-01-05 14:09

    There is a blank missing and one too much:

    searchTable + "Name =' "
    

    should read

    searchTable + " Name ='"
    

    Beside that, use SQL parameters to prevent SQL injection.

    0 讨论(0)
  • 2021-01-05 14:14

    You shouldn't concatenate string to SQL, as this will open you up to SQL Injection attacks.

    This is a rather long read about dynamic SQL, but worth reading to understand the risks and options.

    You should be using parameterized queries instead, though the only way to use a table name as a parameter is to use dynamic SQL.

    I urge you to change your approach regarding table names - this will lead to problems in the future - it is not maintainable and as I mentioned above, could open you to SQL Injection.


    The error you are seeing is a result of the concatenation you are doing with the "Where " clause - you are missing a space before it. You are also adding a space after the ' in the parameter ending with "Name".

    Your resulting string, using your example would be:

    Select * from ActorWHERE ActorName =' some actor';
    
    0 讨论(0)
  • 2021-01-05 14:19
    string cmdText = "Select * from " + searchTable + " WHERE Name = '" +   searchValue + "'";
    
    0 讨论(0)
提交回复
热议问题