Can I Parameterize Table Names in .NET/SQL Queries?

Can Table Names Be Parameterized in .NET/SQL?

Despite being able to parameterize values using command.Parameters.AddWithValue("whatever", whatever) with @whatever as the parameter in the query, users sometimes seek the ability to do the same with other query components, like column and table names. While this is not an ideal situation, it may be necessary due to external constraints.

However, direct parameterization of table names is not possible. An indirect approach involves using sp_ExecuteSQL, but an alternative solution would be to construct the TSQL statement (parameterized except for the table name concatenation) in C# and send it as a command. This approach provides similar security measures as direct parameterization.

To ensure security, it's crucial to whitelist the table name to prevent malicious actors from exploiting the system.

The above is the detailed content of Can I Parameterize Table Names in .NET/SQL Queries?. For more information, please follow other related articles on the PHP Chinese website!