Dynamically taking a table name in aspx form using sql server

Question

Hi!

I'm trying to dynamically accept a table name depending on the conditions satisfied, also the column name is selected dynamically, and so is the comparison value, but I'm getting an error while running it. I'm writing this code in C# and my backend is SQL server 2005. Please help me.

Here is the code:

   if( table=="studenttab")

                   table = "personal_detail";

               thisconnection1.Open();

               string p = field[0].ToString().ToLower();

               string q = code[0].ToString();

           SqlCommand thiscommand3 = thisconnection1.CreateCommand();

           thiscommand3.CommandText = " Select * from '" + table + "' where '" + p + "' = '" + q + "' ";

           // here it gives error "Incorrect syntax near 'personal_detail'." Dont understand!

           SqlDataReader thisreader3 = thiscommand3.ExecuteReader();

Answer 1

Your code is missing several closing braces, a closing quote, and it seems to have misleading indentation.

Answer 2

To answer your specific question, I would guess the error is due to the fact that you are surrounding your table name and column names with single quotes. your object names should not be surrounded with quotes of any kind.

As a side note, please look into the problems associated with SQL injection attacks. The kind of SQL concatenation you are doing here is widely considered a huge security risk.