使用的SqlParameter用C＃ASP.NET的安全性和SQL Server 2008 R2

Question

我將下面的C＃標記使用的SqlParameter（我是新來的SqlParameter），以增強安全性：

public static void EmptyTable(string TableToEmpty) 
{ 
    try 
    { 
     using (SqlConnection conn = new SqlConnection(DatabaseConnectionString)) 
     { 
      using (SqlCommand cmd = new SqlCommand("TRUNCATE TABLE @prmTableToEmpty", conn)) 
      //using (SqlCommand cmd = new SqlCommand("TRUNCATE TABLE " + TableToEmpty, conn)) 
      { 
       cmd.Parameters.Add(new SqlParameter("@prmTableToEmpty", TableToEmpty)); 
       cmd.Connection.Open(); 
       cmd.ExecuteNonQuery(); 
      } 
     } 
    } 
    catch 
    { 
     throw; 
    } 
} 

無該參數使用它工作順利。但是，通過這種語法，我得到以下例外：

[SqlException (0x80131904): Incorrect syntax near '@prmTableToEmpty'.] 
    System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) +2073550 
    System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) +5064508 
    System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning() +234 
    System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) +2275 
    System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString) +215 
    System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async) +987 
    System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result) +162 
    System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result, String methodName, Boolean sendToPipe) +178 
    System.Data.SqlClient.SqlCommand.ExecuteNonQuery() +137 
    pjsql.EmptyTable(String TableToEmpty) in c:\website\App_Code\mySqlClass.cs:67 
    _Default.btnEmptyTheTable_Click(Object sender, EventArgs e) in c:\website\Default.aspx.cs:83 
    System.Web.UI.WebControls.Button.OnClick(EventArgs e) +118 
    System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +112 
    System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +10 
    System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +13 
    System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +36 
    System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +5563 

提到的兩個行號都包含throw;命令。

我通過這個去：http://msdn.microsoft.com/en-us/library/4f844fc7(v=vs.71).aspx

，並嘗試這種替代語法：http://www.csharp-station.com/Tutorials/AdoDotNet/Lesson06.aspx

，但沒有運氣。

我錯過了什麼？

Answer 1

參數不能用於替代對象名稱。

爲了增強secutiry當動態代對象名稱，使用quotename（首先使用一個參數執行命令select quotename(@prmTableToEmpty)，然後使用此命令的結果來建立您truncate COMAND和不帶參數執行它）。

using (SqlConnection conn = new SqlConnection(DatabaseConnectionString)) 
{ 
    conn.Open(); 

    string sanitized_name; 

    using (SqlCommand cmd = new SqlCommand("select quotename(@prmTableToEmpty)", conn)) 
    { 
     cmd.Parameters.Add(new SqlParameter("@prmTableToEmpty", TableToEmpty)); 
     sanitized_name = (string)cmd.ExecuteScalar(); 
    } 

    using (SqlCommand cmd = new SqlCommand("TRUNCATE TABLE " + sanitized_name, conn)) 
    { 
     cmd.ExecuteNonQuery(); 
    } 
}