我想知道如何通过SqlCommand的C＃的传递表名和表字段名。

I would like to know how to pass the table name and a table field name via SqlCommand on C#.

Tryied做它通过设置SqlCommand时使用的@符号做，但没有工作的方式。任何想法??

Tryied to do it the way it's done by setting the SqlCommand with the @ symbol but didn't work. Any ideas??

推荐答案

如果你担心SQL注入，在 SqlCommandBuilder 类（和的 DbCommandBuilder ）有一个名为QuoteIdentifier函数，将正确逃不出你的表名。

If you are worried about SQL injection, the SqlCommandBuilder class (and other DB specific versions of DbCommandBuilder) have a function called QuoteIdentifier that will escape your table name properly.

var builder = new SqlCommandBuilder();
string escTableName = builder.QuoteIdentifier(tableName);

现在，你可以建立你的声明时所使用的转义值，而不必担心注塑但你仍然应该使用参数的任何值。

Now you can used the escaped value when building your statement and not have to worry about injection- but you should still be using parameters for any values.