Just to sate the obvious - as ever with string concatenation, with this
approach you should sanity-check the value of wantedfield (e.g. limit it to
a few known values, ideally via an enum or similar), and (in particular) do
*NOT* blindly accept string values from external sources (e.g. as an HTML
form variable) - otherwise you are opening yourself up to an SQL-injection
attack.
An example malformed string for memberfield: "1=0 DELETE FROM FMatrix --"
Marc
"Chris Priede" <pr****@panix.com> wrote in message
news:%2***************@TK2MSFTNGP11.phx.gbl...
Hi,
Sagaert Johan wrote: "SELECT * FROM FMatrix WHERE @wantedfield=@criteria"
Why can't i specify the field i want to use as a parameter ?
I have no error,but the query has no result when run.
That's because it is a valid query, but it doesn't do what you think it
does. You are comparing the two argument values, which is perfetly legal.
What this will do is return all rows from FMatrix if the value of
@wantedfield parameter happens to be equal to value of @criteria; none
otherwise.
of course i could solve it with
"SELECT * FROM FMatrix WHERE " + wantedfield + "=@criteria"
That would be the most reasonable solution for a simple case like yours.
but i suspect it could be done by using parameters.Add
If you really want to, you can achieve it with a considerably more complex
WHERE clause, such as:
SELECT * FROM FMatrix
WHERE (@wantedfield = 'Field1' AND Field1 = @criteria)
OR (@wantedfield = 'Field2' AND Field2 = @criteria)
OR (@wantedfield = 'Field3' AND Field3 = @criteria)
[... and so forth]
--
Chris Priede