can dapper replace the table name?

c# dapper

Question

I had expected that dapper-dot-net could replace the table name in a query like this:

connection.Query("SELECT * FROM @Table WHERE [Id] = @Id", new {Table = tb, Id = id});

However, it seems to not replace the table name. Is that an expected limitation?

Accepted Answer

With the single exception of "in" (where dapper offers some voodoo), dapper is a direct ADO.NET tool - it doesn't change the query. So the real question is: can you parameterize a table name in SQL? In every database I know of: no you cannot - so that is not valid. Dapper doesn't attempt to solve that issue.

Perhaps consider string.Format, remembering:

  • to white-list the legal table-names to prevent SQL injection
  • to use the full [square brackets] notation around the table name to allow the full range of possible names



Licensed under: CC-BY-SA with attribution
Not affiliated with Stack Overflow
Is this KB legal? Yes, learn why
Licensed under: CC-BY-SA with attribution
Not affiliated with Stack Overflow
Is this KB legal? Yes, learn why