i have following query works.
string sqlcommandtext = "select * admin_t adminid = '" + textbox.text + "'";
it fix command , cannot use user given table names , column names @ run time.
what trying make command like
string sqlcommandtext = "select * admin_t '" + usergivencolumnname + "' = '" + conditiontb.text + "'";
"usergivencolumnname" can column part of specific table.
trying create flexibility same command can used under different circumstances.
sqlcommand
, none of related classes used ado.net not support such functionality far know.
of course should never build sql queries string concatenation. should use parameterized queries. kind of string concatenations open sql injection attacks.
but prepared statements only values, not column names or table names. if really wanna put input string column name, create whitelist , use validation before put in query.
http://codeblog.jonskeet.uk/2014/08/08/the-bobbytables-culture/
Comments
Post a Comment