Reputation: 1794
Pass field name in dapper query
I'm creating a function where I check if a maintenance day is checked in the database. Each Column is Maintenance + DayName (MaintenanceSunday, MaintenanceMonday, etc.).
It appears that anytime you pass in an object, it wants to take the value of what is being checked and not "inject" the string. Is there a way to safely achieve this (ie not String.Format("where {0} = ...", field))? I really don't want to open up the possibility of SQL Injection here (though there is an earlier check to see if q.ToUpper() is in a list of "SUNDAY", "MONDAY", etc. so I guess there's that safeguard)
I attempted this, but it bombs attempting to compare 'Maintenancesunday' to true (bit):
string field = "Maintenance" + q; // q = "sunday"
return conn.Query<Data>("SELECT * FROM Data WHERE @Field = @Value", new { Field = field, Value = true }).ToList();
Upvotes: 2
Views: 1837
Answers (1)
Reputation: 46591
Dapper just uses ADO.NET, which doesn't support parameterized column names. I guess you need some hard-coding to accomplish this.
Upvotes: 3
Related Questions
- How to create arguments for a Dapper query dynamically
- How to build dynamic parameterised query using dapper?
- Param string on Dapper in WHERE clause
- Passing query parameters in Dapper using OleDb
- Set Dapper Object different from Column name in SQL
- Dapper return specfic field from query
- Get field names from Stored Procedure with Dapper
- How to pass whole properties of an object inside params using dapper.net
- generic parameterised sql query with dapper
- How to insert an SQL literal as a query parameter in Dapper?