3

I want to transfer to CommandText table name as parameter, something like @column. How can I do this? Because column name is transferred as custom parameter.

using (SqlConnection connection = SQL.Connection())
{
    using (SqlCommand cmd = connection.CreateCommand())
    {
        cmd.Parameters.Add("@data", SqlDbType.VarChar).Value = "some_string";
        cmd.CommandText = "UPDATE users SET colum=@data";
        cmd.ExecuteNonQuery();
    }
}
Improve this question
2
  • 1
    Why not use string.Format() ? e.g. cmd.CommandText = string.Format("UPDATE users SET {0}=@data1, {1}=@data1", column1Name, column2Name) etc etc Commented May 26, 2015 at 9:37
  • Try codeproject.com/Articles/4416/… Commented May 26, 2015 at 10:06

2 Answers 2

Reset to default
1

You cannot do this in regular SQL - if you must have configurable column names (or table name, for that matter), you must use dynamic SQL - there is no other way to achieve this. Example is shown below.

string sqlCommandStatement =  
   string.Format("("UPDATE users SET {0}=@somedata, {1}=@somedata" ,column1, column2);

and then use the sp_executesql stored proc in SQL Server to execute that SQL command (and specify the other parameters as needed).

You can also checkthis article

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

This is solution, but vulnarable solution. See: msdn.microsoft.com/query/…
@Profesor08 I don't think that MS bullpoo applies... "This rule assumes that the string argument contains user input." You will have user input directly defining which columns to use?.. effectively you should keep the where filter parameterised... the column names I guess you define depending on checkbox selection etc... so imho string.Format is fine.
Column name is defined by user. I wanted to know, is there a way, without any manual filtering, provided by MS. Any way this is not a big problem.
1

this is a long thread/question but maybe you'll find this solution of mine helpful, as you can see i use parameters here and this is a dynamic column =)

        protected void BindDate()
    {
        StringBuilder SQLtext = new StringBuilder();

        SQLtext.AppendLine(" declare @tsql nvarchar(max) ");

        SQLtext.AppendLine(" set @tsql= ");
        SQLtext.AppendLine(" ' ");
        SQLtext.AppendLine(" With ctemp as( ");
        SQLtext.AppendLine(" select convert(varchar(10),sysDate,102) sysDate,convert(varchar(10),WeekDate,102) WeekDate,[Month],[Quarter],[Year] ");
        SQLtext.AppendLine(" from sysCalendar ");
        SQLtext.AppendLine(" where sysdate<=(select max(nominal_date) from ATTENDANCE_AGENT_T) ");
        SQLtext.AppendLine(" and sysDate>=dateadd(MONTH,-12,getdate()) ");
        SQLtext.AppendLine(" ) ");
        SQLtext.AppendLine(" select distinct ' + @mydate + ' as mydate from ctemp order by '+ @mydate + ' desc ");
        SQLtext.AppendLine(" ' ");
        SQLtext.AppendLine(" exec(@tsql) ");

        string constr = ConfigurationManager.ConnectionStrings["CIGNAConnectionString"].ConnectionString;
        using (SqlConnection con = new SqlConnection(constr))
        {
            using (SqlCommand cmd = new SqlCommand(SQLtext.ToString()))
            {
                cmd.CommandType = CommandType.Text;
                cmd.Parameters.AddWithValue("@mydate", Radio_range.SelectedValue);
                cmd.Connection = con;
                con.Open();
                DropDownList_Date.DataSource = cmd.ExecuteReader();
                DropDownList_Date.DataTextField = "mydate";
                DropDownList_Date.DataValueField = "mydate";
                DropDownList_Date.DataBind();
                con.Close();
            }
        }
    }
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.