Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Pass Table Name as Parameter to Dapper

Tags:

dapper

Is it possible to pass in the table name as a parameter to a Dapper Query command? I'm not looking for a SQL table defined function or a SQL table variable. I want to define the table name within C# and pass it to Dapper. Here's my code, that when executed, returns an error of Must declare the table variable "@TableName"

var foo = conn.Query("SELECT * FROM @TableName WHERE Id = @Id", new { TableName = "MyTable", Id = 123 });
like image 1000
bigmac Avatar asked Jul 29 '14 14:07

bigmac

People also ask

How do you pass parameters in dapper?

Parameter values can be passed to commands as anonymous types: var parameters = new { UserName = username, Password = password }; var sql = "select * from users where username = @UserName and password = @Password"; var result = connection.

What is Dynamicparameters?

Parameter. Dynamic parameters are special types of parameters. Dynamic parameter value is recalculated each time you assess the parameter; i.e., this parameter acts as a function.

How does dapper prevent SQL injection?

It's Prevent SQL Injection from external user input by avoiding raw-SQL query string building. Dapper provides methods to build parameterized queries as well as passing sanitized parameters to stored procedures. Dapper has provided multiple methods to Query or execute the store procedures and SQL queries.

Is Dapper case sensitive?

Dapper's(SqlMapper) Query method over the Connection factory runs the SQL query, then maps the database result to Employee class and returns as a list of employees. Note : Only matching class and table properties are mapped to list of employee, they are case sensitive.

2 Answers

SQL does not support parameterized table names, and dapper is a very very thin wrapper over SQL - so: no.

You could, however, use string.format:

string sql = string.Format("... from [{0}] ...", table name);

Note that even with the [/] this has an inherent SQL injection risk.

like image 62
Marc Gravell Avatar answered Sep 20 '22 14:09

Marc Gravell

You could check to see if the table exists first to protect from Sql injection:

string tableNameExistsCheck = "SELECT count(1) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = @tableName";

if (c.QuerySingle<int>(tableNameExistsCheck, new { tableName }) == 1)
{
    string sql = string.Format("... from [{0}] ...", tableName);
    var result = c.Query(sql);                    
}
like image 25
user841657 Avatar answered Sep 20 '22 14:09

user841657
Sign in to Comment

Related questions

Dapper and Enums as Strings
Dapper query with list of parameters
Alternative way to get output parameter from stored procedure
How to read an SQL query generated by Dapper?
It is possible to stream a large SQL Server database result set using Dapper?
Session-Per-Request with SqlConnection / System.Transactions
What is the difference between ORM and micro ORM?
How do I insert data when the primary key column is not an identity column?
How do I return an IEnumerable<> using ADO.NET?
Dapper enum mapping
Dapper.net "where ... in" query doesn't work with PostgreSQL
An enumerable sequence of parameters (arrays, lists, etc) is not allowed in this context in Dapper
How to retrieve a single value from the database using Dapper
How to use Dapper with Linq
Authentication and Authorization without Entity Framework in ASP.NET 5 MVC 6
Can Dapper return values from a SQL function?
Dapper ORM paging and sorting
How do I get dapper to map an int to a boolean property
How to create an anonymous object with property names determined dynamically?
Dapper multiple objects from one row

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!