problem with OleDbParameter (using a variable columnname in a sql string ).

  • Thread starter Thread starter Sagaert Johan
  • Start date Start date
S

Sagaert Johan

Hi

I try to use this as sql string ( The field i compare with is variable. )

"SELECT * FROM FMatrix WHERE @wantedfield=@criteria"

i use the Parameters.Add with OleDbType.WChar .

Why can't i specify the field i want to use as a parameter ?

I have no error,but the query has no result when run.

of course i could solve it with

string wantedfield="MyField";

"SELECT * FROM FMatrix WHERE " + wantedfield + "=@criteria"

but i suspect it could be done by using parameters.Add

Do i need to set the OleDbParameter.SourceColumn ?


Any hint ?

Johan
 
Hi,

Sagaert said:
"SELECT * FROM FMatrix WHERE @wantedfield=@criteria"
Why can't i specify the field i want to use as a parameter ?
I have no error,but the query has no result when run.
Click to expand...

That's because it is a valid query, but it doesn't do what you think it
does. You are comparing the two argument values, which is perfetly legal.
What this will do is return all rows from FMatrix if the value of
@wantedfield parameter happens to be equal to value of @criteria; none
otherwise.
of course i could solve it with
"SELECT * FROM FMatrix WHERE " + wantedfield + "=@criteria"
Click to expand...

That would be the most reasonable solution for a simple case like yours.
but i suspect it could be done by using parameters.Add
Click to expand...

If you really want to, you can achieve it with a considerably more complex
WHERE clause, such as:

SELECT * FROM FMatrix
WHERE (@wantedfield = 'Field1' AND Field1 = @criteria)
OR (@wantedfield = 'Field2' AND Field2 = @criteria)
OR (@wantedfield = 'Field3' AND Field3 = @criteria)
[... and so forth]
 
Just to sate the obvious - as ever with string concatenation, with this
approach you should sanity-check the value of wantedfield (e.g. limit it to
a few known values, ideally via an enum or similar), and (in particular) do
*NOT* blindly accept string values from external sources (e.g. as an HTML
form variable) - otherwise you are opening yourself up to an SQL-injection
attack.

An example malformed string for memberfield: "1=0 DELETE FROM FMatrix --"

Marc

Chris Priede said:
Hi,

Sagaert said:
"SELECT * FROM FMatrix WHERE @wantedfield=@criteria"
Why can't i specify the field i want to use as a parameter ?
I have no error,but the query has no result when run.
Click to expand...

That's because it is a valid query, but it doesn't do what you think it
does. You are comparing the two argument values, which is perfetly legal.
What this will do is return all rows from FMatrix if the value of
@wantedfield parameter happens to be equal to value of @criteria; none
otherwise.
of course i could solve it with
"SELECT * FROM FMatrix WHERE " + wantedfield + "=@criteria"
Click to expand...

That would be the most reasonable solution for a simple case like yours.
but i suspect it could be done by using parameters.Add
Click to expand...

If you really want to, you can achieve it with a considerably more complex
WHERE clause, such as:

SELECT * FROM FMatrix
WHERE (@wantedfield = 'Field1' AND Field1 = @criteria)
OR (@wantedfield = 'Field2' AND Field2 = @criteria)
OR (@wantedfield = 'Field3' AND Field3 = @criteria)
[... and so forth]
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

VBA: How can I use a string variable as autofilter criteria? 4
C# use string variable in string 8
Method param in string variable 2
What are OleDbParameter names with 'Original_' prefix? 5
Another try - inserting datset into sql 3
oledbParameter has no default value 1
Pass optional parameters to a method in a Dictionary (C#2.0) ? 10
Bind Variables Using ODP.NET 0

Back
Top