How to parameterise table name in ODBC query
I have an ODBC connection to a database and I would like the user to be able to view data within any table. As this is an ASP.net application I cannot trust that the table name
-
Use a stored procedure, it's the safest way.
Some hints:
- You probably may also use the
System.Data.SqlClientnamespace objects - Enclose your connection, command and adapter objects initializations in
usingstatements
Here's a simple example:
string sqlStoredProcedure = "SelectFromTable"; using (OdbcConnection dbConnection = new OdbcConnection(dbConnectionString)) { dbConnection.Open(); using (OdbcCommand command = new OdbcCommand(sqlStoredProcedure, dbConnection)) { command.CommandType = System.Data.CommandType.StoredProcedure; command.Parameters.Add(new OdbcParameter("@table", tableName)); using (OdbcDataAdapter adapter = new OdbcDataAdapter(command)) { adapter.SelectCommand = command; adapter.Fill(tableData); } } }Another way to go would be to retrieve all table names and validate the
tableNamestring variable as an entry in the list, maybe using:DataTable tables = dbConnection.GetSchema(OdbcMetaDataCollectionNames.Tables);Here's a simple implementation based on your scenario:
string sql = "SELECT TOP 10 * FROM {0}"; using (OdbcConnection dbConnection = new OdbcConnection(dbConnectionString)) { dbConnection.Open(); DataTable tables = dbConnection.GetSchema(OdbcMetaDataCollectionNames.Tables); var matches = tables.Select(String.Format("TABLE_NAME = '{0}'", tableName)); //check if table exists if (matches.Count() > 0) { using (OdbcCommand command = new OdbcCommand(String.Format(sql, tableName), dbConnection)) { using (OdbcDataAdapter adapter = new OdbcDataAdapter(command)) { adapter.SelectCommand = command; adapter.Fill(tableData); } } } else { //handle invalid value } }讨论(0) - You probably may also use the
加载中...
- 热议问题