0

I want to achieve this: 

public void SQLInfo(string column)
{
    SqlConnection Connect = new SqlConnection(
        "Server=server;Database=db;User ID=user;Password=pass;");
    Connect.Open();        
    SqlCommand com = new SqlCommand(
        "select distinct [column] from [dbo].[ServerAttributes]");
    SqlDataReader reader = com.ExecuteReader();
}

I failed to find documentation on this. Is there any specific method to use a string passed through a parameter within a string? For example, in Powershell you could use the '$' to denote a variable within a string. "This is the $server you're working on."

Improve this question
8
  • 1
    You most likely really don't want to do this since it's a perfect way to introduce Sql Injection if column can be provided via user input (and it probably can). Commented Jul 21, 2016 at 17:17
  • 2
    You're looking for the wonders of string concatenation. Commented Jul 21, 2016 at 17:18
  • 1
    Possible duplicate of C# SqlCommand - cannot use parameters for column names, how to resolve? Commented Jul 21, 2016 at 17:19
  • @DavidL I don't want it to be provided via user input because I'm trying to automate this process. I'm only using a handful of columns that will remain fixed unless changes are required. Commented Jul 21, 2016 at 17:20
  • If SQLInfo is called in a loop, use a StringBuilder ... to credit @DavidL ... if anyone inputs "1;delete *" for your column input, you're in for some serious crying time. Commented Jul 21, 2016 at 17:20

3 Answers 3

Reset to default
1

Yes you can using string.Format() like

public void SQLInfo(string column)
        {
  string query = string.Format("select distinct {0} from [dbo].[ServerAttributes]", column);
  SqlCommand com = new SqlCommand(query);
  SqlDataReader reader = com.ExecuteReader();
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

When using C# lower than 6 use string formatter

string command = string.Format("SELECT DISTINCT[{0}] FROM[dbo].[ServerAttributes]", column);

For C#6 , you have string literal operator $ it is translated to the same logic as in previous version , but makes the code more readble.

string command = $"SELECT DISTINCT[{column}] FROM[dbo].[ServerAttributes];
Improve this answer

Comments

0

You can use string interpolation if you are using C# 6

public void SQLInfo(string column)
{
    SqlConnection Connect = new SqlConnection(
        "Server=server;Database=db;User ID=user;Password=pass;");
    Connect.Open();        
    SqlCommand com = new SqlCommand(
        $"select distinct [{column}] from [dbo].[ServerAttributes]");
    SqlDataReader reader = com.ExecuteReader();
}

Otherwise use string.Format

public void SQLInfo(string column)
{
    SqlConnection Connect = new SqlConnection(
        "Server=server;Database=db;User ID=user;Password=pass;");
    Connect.Open();        
    SqlCommand com = new SqlCommand(
        string.Format("select distinct [{0}] from [dbo].[ServerAttributes]",column));
    SqlDataReader reader = com.ExecuteReader();
}

Note If you're going to do something like this would suggest at least checking to make sure the string isn't introducing the '[' character

column = column.Remove("]");
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.