C# SqlCommand – cannot use parameters for column names, how to resolve?

by

As has been mentioned, you cannot parameterise the fundamental query, so you will have to build the query itself at runtime. You should white-list the input of this, to prevent injection attacks, but fundamentally:

// TODO: verify that "slot" is an approved/expected value
SqlCommand command = new SqlCommand("SELECT [" + slot +
           "] FROM Users WHERE name=@name; ")
prikaz.Parameters.AddWithValue("name", name);

This way @name is still parameterised etc.

More Related Contents:

  1. How do parameterized queries help against SQL injection?
  2. What represents a double in sql server?
  3. What’s the fastest way to bulk insert a lot of data in SQL Server (C# client)
  4. Automated checking of database connection and query in same database [closed]
  5. SQL Server Char/VarChar DateTime Error [closed]
  6. Sql: Incorrect syntax near ‘(‘ [closed]
  7. What are good ways to prevent SQL injection? [duplicate]
  8. NHibernate QueryOver with Fetch resulting multiple sql queries and db hits
  9. Validation failed for one or more entities while saving changes to SQL Server Database using Entity Framework
  10. Distinct in Linq based on only one field of the table
  11. Wildcard search for LINQ
  12. SQL Insert Query Using C#
  13. Map category parent id self referencing table structure to EF Core entity
  14. Entity Framework error: Cannot insert explicit value for identity column in table
  15. Get an IDataReader from a typed List
  16. Does using parameterized SqlCommand make my program immune to SQL injection?
  17. Executing query with parameters
  18. Direct method from SQL command text to DataSet
  19. Table name and table field on SqlParameter C#?
  20. Get affected rows on ExecuteNonQuery
  21. Add WHERE clauses to SQL dynamically / programmatically
  22. Entity Framework – default values doesn’t set in sql server table
  23. How to use SQL ‘LIKE’ with LINQ to Entities? [duplicate]
  24. Query validation using C#
  25. Entity framework: StoreGeneratedPattern=”Computed” property
  26. Database Error: There is no row at position 0
  27. Linq union usage?
  28. Querying data using Entity Framework from dynamically created table
  29. Microsoft.Jet.OLEDB.4.0 Converting Characters
  30. Capturing count from an SQL query

Leave a Comment