471,605 Members | 1,369 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,605 software developers and data experts.

problem with OleDbParameter (using a variable columnname in a sql string ).

Hi

I try to use this as sql string ( The field i compare with is variable. )

"SELECT * FROM FMatrix WHERE @wantedfield=@criteria"

i use the Parameters.Add with OleDbType.WChar .

Why can't i specify the field i want to use as a parameter ?

I have no error,but the query has no result when run.

of course i could solve it with

string wantedfield="MyField";

"SELECT * FROM FMatrix WHERE " + wantedfield + "=@criteria"

but i suspect it could be done by using parameters.Add

Do i need to set the OleDbParameter.SourceColumn ?
Any hint ?

Johan
Dec 2 '05 #1
2 1924
Hi,

Sagaert Johan wrote:
"SELECT * FROM FMatrix WHERE @wantedfield=@criteria"
Why can't i specify the field i want to use as a parameter ?
I have no error,but the query has no result when run.
That's because it is a valid query, but it doesn't do what you think it
does. You are comparing the two argument values, which is perfetly legal.
What this will do is return all rows from FMatrix if the value of
@wantedfield parameter happens to be equal to value of @criteria; none
otherwise.
of course i could solve it with
"SELECT * FROM FMatrix WHERE " + wantedfield + "=@criteria"
That would be the most reasonable solution for a simple case like yours.
but i suspect it could be done by using parameters.Add


If you really want to, you can achieve it with a considerably more complex
WHERE clause, such as:

SELECT * FROM FMatrix
WHERE (@wantedfield = 'Field1' AND Field1 = @criteria)
OR (@wantedfield = 'Field2' AND Field2 = @criteria)
OR (@wantedfield = 'Field3' AND Field3 = @criteria)
[... and so forth]
--
Chris Priede
Dec 2 '05 #2
Just to sate the obvious - as ever with string concatenation, with this
approach you should sanity-check the value of wantedfield (e.g. limit it to
a few known values, ideally via an enum or similar), and (in particular) do
*NOT* blindly accept string values from external sources (e.g. as an HTML
form variable) - otherwise you are opening yourself up to an SQL-injection
attack.

An example malformed string for memberfield: "1=0 DELETE FROM FMatrix --"

Marc

"Chris Priede" <pr****@panix.com> wrote in message
news:%2***************@TK2MSFTNGP11.phx.gbl...
Hi,

Sagaert Johan wrote:
"SELECT * FROM FMatrix WHERE @wantedfield=@criteria"
Why can't i specify the field i want to use as a parameter ?
I have no error,but the query has no result when run.


That's because it is a valid query, but it doesn't do what you think it
does. You are comparing the two argument values, which is perfetly legal.
What this will do is return all rows from FMatrix if the value of
@wantedfield parameter happens to be equal to value of @criteria; none
otherwise.
of course i could solve it with
"SELECT * FROM FMatrix WHERE " + wantedfield + "=@criteria"


That would be the most reasonable solution for a simple case like yours.
but i suspect it could be done by using parameters.Add


If you really want to, you can achieve it with a considerably more complex
WHERE clause, such as:

SELECT * FROM FMatrix
WHERE (@wantedfield = 'Field1' AND Field1 = @criteria)
OR (@wantedfield = 'Field2' AND Field2 = @criteria)
OR (@wantedfield = 'Field3' AND Field3 = @criteria)
[... and so forth]
--
Chris Priede

Dec 2 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

4 posts views Thread by Arif Çimen | last post: by
reply views Thread by Chris Ericoli | last post: by
2 posts views Thread by ddaniel | last post: by
4 posts views Thread by onecorp | last post: by
5 posts views Thread by explode | last post: by
2 posts views Thread by Tom | last post: by
1 post views Thread by XIAOLAOHU | last post: by
reply views Thread by leo001 | last post: by
reply views Thread by MichaelMortimer | last post: by
reply views Thread by CCCYYYY | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.