c# - As it does not seem possible to specify the name of a table in a parameterized query, is there a safe alternative? -

c# - As it does not seem possible to specify the name of a table in a parameterized query, is there a safe alternative? -

i have class, valuesfield, manages values comboboxes.

the constructor specifies database table values can retrieved, along 2 fields select data.

public valuesfield(string databasetable, string idfield, string valuefield) { this.databasetable = databasetable; this.idfield = idfield; this.valuefield = valuefield; }

my method, getvalues() retrieves info (from combobox can populated). constructing commandtext simple string, wanted utilize parameterized query safety.

the simple string command -

dbcommand.commandtext = "select " + idfield + "," + valuefield + " " + databasetable + " order " + valuefield;

the parameterized query -

dbcommand.commandtext = "select @idfield, @valuefield @databasetable order @valuefield"; dbcommand.parameters.addwithvalue("@idfield", idfield); dbcommand.parameters.addwithvalue("@valuefield", valuefield); dbcommand.parameters.addwithvalue("@databasetable", databasetable); dbreader = dbcommand.executereader();

the parameterized query throws mysqlexception on executereader() message 'you have error in sql syntax'.

i checked value of commandtext @ point exception thrown , (using watch) , commandtext still shows "select @idfield, @valuefield @databasetable order @valuefield" - not sure how examine syntax obvious errors do.

i see apparently not possible according this answer.

is there way view actual commandtext values included in order diagnose syntax errors?

is there safe alternative specify table name, if indeed using parameterized query not possible?

try creating generic table combo boxes: [id, value, combo] , add together combo metadata other tables.

or utilize repository pattern :)

c# mysql sql