| Bug #81189 | ASP.NET MySqlCommand With Parameters Not Functioning Correctly | ||
|---|---|---|---|
| Submitted: | 24 Apr 2016 19:41 | Modified: | 24 Apr 2016 19:58 |
| Reporter: | Kyle Grygo | Email Updates: | |
| Status: | Closed | Impact on me: | |
| Category: | Connector / NET | Severity: | S2 (Serious) |
| Version: | 5.2.7.0 | OS: | Windows |
| Assigned to: | CPU Architecture: | Any | |
| Tags: | MySqlCommand | ||
[24 Apr 2016 19:58]
Kyle Grygo
I was not aware you could not parameterize the table you wanted to read from.
Description: I am attempting to do this in a program: var cmd = new MySqlCommand { CommandText = "SELECT * FROM @Table WHERE Id = @Id", Connection = _connection }; cmd.Parameters.AddWithValue(@Table, table.ToString()); // table is an enum cmd.Parameters.AddWithValue(@Id, id); When this executes in the particular test I am running, cmd's query is supposed to be: SELECT * FROM SESSION WHERE Id = 9 Instead this query is made and fails to run because it contains a syntax error: SELECT * FROM 'SESSION' WHERE Id = 9 How to repeat: Pass a string into a MySqlCommand parameter and observe that the string gets encapsulated in single quotes and breaks the query. Suggested fix: Don't encapsulate strings that are passed in with single quotes.