1. 技术文章
  2. Unable to select values when using a parameter for the column name

Unable to select values when using a parameter for the column name

生来就可爱ヽ(ⅴ<●) 提交于 2021-01-28 18:46:51

问题


Try
    Using connection As New SqlConnection(ConnectionString)
        connection.Open()
        SQL = "SELECT @PARAM FROM SystemOps"
        sqlCmd = New SqlClient.SqlCommand(SQL, connection)
        sqlCmd.Parameters.Add(New SqlClient.SqlParameter("@PARAM", SqlDbType.VarChar)).Value = "SystemNavn"
        ' .. and so on...

When I run the code, it returns with a result of "SystemNavn" (which is the name of the column in the table), instead of the value of that column in the current row. What am I doing wrong?


回答1:


You cannot use parameter names for column names, or any other SQL syntax. You can only use parameters as placeholders for literal values. Parameters always get replaced with the literal form for the value, so in your example, the command which is being run, essentially, gets evaluated as:

SELECT 'SystemNavn` FROM SystemOps

In order to have a variable column name, like that, I would recommend dynamically building the SQL string, like this:

Dim columnName As String = "SystemNavn"
SQL = "SELECT [" & columnName & "] FROM SystemOps"

However, by doing so, you are opening yourself up to potential SQL-injection attacks, so you need to be careful. The safest way, that I'm aware of, to avoid an attack in a situation like this is to get the list of column names from the database and compare the columnName variable against that list to ensure that it is actually a valid column name.

Of course, if the column name never changes, then there's no reason to make it a variable at all. In that case, just hard-code it directly into the SQL command, thereby avoiding the necessity for parameters or variables at all:

SQL = "SELECT SystemNavn FROM SystemOps"



回答2:


Your query doesn't need any parameters in this case. just do 

SQL = "SELECT SystemNavn FROM SystemOps"

This is secure. If later you need to filter this, you can do something like:

SQL = "SELECT SystemNavn FROM SystemOps WHERE COL_A = @ColA"

FYI, for your code above, since it is a VARCHAR type, it is being executed like so:

SELECT 'SystemNavn' FROM SystemOps

That is why you're getting 'SystemNavn' back.




回答3:


You cannot use a parameter to specify the name of a column or a table.

The parameters collection are used to specify the values to search for, to insert, to update or delete.

Your code should be changed to something like this

    Using connection As New SqlConnection(ConnectionString)
        connection.Open()
        SQL = "SELECT SystemNavn, <other fiels if needed> " & _
              "FROM SystemOps WHERE <keyfield_name> = @PARAM"
        sqlCmd = New SqlClient.SqlCommand(SQL, connection)
        sqlCmd.Parameters.AddWithValue("@PARAM", paramValue)
        ......
    End Using

Of course the example above assumes that you have a WHERE clause, if you want to retrieve every value of the column SystemNavn without condition, then you don't need a parametrized query because every part of your sql command is provided by you and there is no worry for sql injection.



来源:https://stackoverflow.com/questions/16419019/unable-to-select-values-when-using-a-parameter-for-the-column-name

标签
sql
vb.net
parameterized-query
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!