Generally things like column names (or table names) can not be parameterised - and the fact that there are different indices means that it will have to be a different plan internally. So you will have to use concatenation - but be careful to white-list the known column names to prevent sql injection:
SQLiteCommand cmd = new SQLiteCommand(@" SELECT [ID],[email],[serializedata],[restrictions] FROM " + whiteListedUserTable + @" WHERE [" + whiteListedColumnName + @"] = @searchparam", SQLConnection); cmd.Parameters.Add(new SQLiteParameter("@searchparam")); ... Command.Parameters["@searchparam"].Value = searchdata;
You cannot use a query parameter in that fashion -- to indicate a column name. You can only use it to supply values.
Consider something like this instead:
SQLiteCommand cmd = new SQLiteCommand( "SELECT [ID]" + ",[email]" + ",[serializedata]" + ",[restrictions]" + " FROM " + UserTable + " WHERE [" + search + "] = @searchparam", SQLConnection); cmd.Parameters.Add(new SQLiteParameter("@searchparam"));
If you control all of the input to this function and none if it can be supplied by someone other than you, this should be safe. But if
search comes from an untrusted third party, be sure to make the appropriate security checks on the value.