Parameterise table name in .NET/SQL?

You cannot directly parameterize the table name. You can do it indirectly via sp_ExecuteSQL, but you might just as well build the (parameterized) TSQL in C# (concatenating the table-name but not the other values) and send it down as a command. You get the same security model (i.e. you need explicit SELECT etc, and assuming it isn’t signed etc).

Also – be sure to white-list the table name.

More Related Contents:

Parameterize an SQL IN clause
Fastest way to perform nested bulk inserts with scope_identity() usage?
How to set table name in dynamic SQL query?
Pass table as parameter into sql server UDF
Can we pass parameters to a view in SQL?
“Order By” using a parameter for the column name
Call stored procedure with table-valued parameter from java
SQL QUERY COUNT THEN ADD
SQL server command help and tutorials for specific commands?
How do I UPDATE from a SELECT in SQL Server?
How to return only the Date from a SQL Server DateTime datatype
Referring to a Column Alias in a WHERE Clause
Convert Datetime column from UTC to local time in select statement
How to implement LIMIT with SQL Server? [duplicate]
converting Epoch timestamp to sql server(human readable format)
What are Covering Indexes and Covered Queries in SQL Server?
What’s the best way to select the minimum value from several columns?
Add a summary row with totals
Counting DISTINCT over multiple columns
How to check if a stored procedure exists before creating it
Calculate business hours between two dates
Correct use of transactions in SQL Server
SSIS Source Format Implicit Conversion for Datetime
store arabic in SQL database
Lightweight SQL database which doesn’t require installation [closed]
how does SELECT TOP works when no order by is specified?
Compare dates in T-SQL, ignoring the time part
Safest way to get last record ID from a table
Space used by nulls in database
Removing duplicate rows (based on values from multiple columns) from SQL table

More Related Contents:

Leave a Comment Cancel reply