tags:

views:

90

answers:

7
+1  Q: 

i'm lost: what is wrong with this ado.net code?

well, the question is clear i hope, the code is this:

string sql = "delete from @tabelnaam";
            SqlCommand sc = new SqlCommand();

                sc.Connection = getConnection();
                sc.CommandType = CommandType.Text;
                sc.CommandText = sql;
                SqlParameter param = new SqlParameter();

                param.Direction = ParameterDirection.Input;
                param.ParameterName = "@tabelnaam";
                param.Value  = tableName;

                sc.Parameters.Add(param);
                OpenConnection(sc);
                sc.ExecuteScalar();

tableName is supplied to this function.

I get the exception: 

Must declare the table variable @tabelnaam
+3  A: 

IIRC, you cant use a substitute the table name for a parameter.

Rather build the SQL string containing the correct table name.

leppie  2010-06-24 10:43:37
doesn't that lead to sql injection?
Michel  2010-06-24 11:12:37
@Michel: How do you come to that conclusion?
leppie  2010-06-24 11:20:02
@leppie - of course it is a sql injection risk if the source of the string is via an untrusted source (such as user input). What if I entered the following "table name": "MyTable; DROP DATABASE MyDb".
Rob Levine  2010-06-24 11:31:38
+1  A: 

Make to changes

rather than using paramter use this

string sql = string.format( "delete from {0}",tableName);

make use of executenonquery intead of ExecuteScalar 

sc.ExecuteNonQuery();
Pranay Rana  2010-06-24 10:44:19
doesn't that lead to sql injection?
Michel  2010-06-24 11:15:15
you can avoide this by validating the tablename properly
Pranay Rana  2010-06-24 11:37:42
A: 

I dont think you can parameterize the table name. From what I have read you can do it via Dynamic sql and calling sp_ExecuteSQL.

Steve  2010-06-24 10:44:25
huh? so i can do this 'select * from client where name = @name' but i can't do this: 'delete from @table'?
Michel  2010-06-24 11:16:58
@michel - exactly.
Rob Levine  2010-06-24 11:33:41
[surprised] thanks for the comment
Michel  2010-06-28 09:27:19
A: 

Your SQL is incorrect, you are deleting from a table variable yet you haven't defined that variable.

Update: as someone has pointed out, you are trying to dynamically build a query string but have inadvertantly used SQL parameters (these do not act as place holders for string literals).

Adam  2010-06-24 10:44:26
Thanks for the edit, didn't spot that :)
Adam  2010-06-24 10:51:52
i'm not sure i know what you mean.
Michel  2010-06-24 11:14:40
The @tableName syntax you used followed by the comm.Parameters collection gave you something called "Parameterized SQL". The command was trying to put a "value" into the @tableName instead of the string literal that you intended. You simply wanted to build a chunk of SQL without any parameters using a string.
Adam  2010-06-24 11:23:46
A: 

More here: http://stackoverflow.com/questions/372033/parametise-table-name-in-net-sql

andyb  2010-06-24 10:49:39
+1  A: 

As mentioned by others, you can't parameterise the table name.

However, as you rightly mention in comments on other answers, using simple string manipulation potentialy introduces a SQL injection risk:

If your table name input is fro an untrusted source, such as user input, then using this:

string sql = string.format( "DELETE FROM {0}",tableName);

leaves you open to the table name "myTable; DROP DATABASE MyDb" being inserted, to give you:

DELETE FROM myDb; DROP DATABASE MyDB

The way round this is to delimit the table name doing something such as this:

string sql = string.format("DELETE FROM dbo.[{0}]", tableName);

in combination with checking that the input does not contain either '[' or ']'; you should probably check it also doesn't contain any other characters that can't be used as a table name, such as period and quotes.

Rob Levine  2010-06-24 11:37:55
You mean `dbo.` not `do.`? Tables can live in other schemas, though.
Rup  2010-06-24 11:41:37
@Rup - I did - good spot, thank you. It's true, they can live in other schemas. I am just trying to impress the idea upon the OP to keep things *as restricted as possible*. If the tables are in other schemas, then this would need relaxing, but *only if* that is the case.
Rob Levine  2010-06-24 11:44:53
A: 

You cannot parameterise the table name, you have to inject it into the command text.

What you can and should do is protect yourself against SQL injection by delimiting the name thus:

public static string Delimit(string name) {
    return "[" + name.Replace("]", "]]") + "]";
}

// Construct the command...
sc.CommandType = CommandType.Text;
sc.CommandText = "delete from " + Delimit(tableName);
sc.ExecuteNonQuery();

See here and here for more background info.

Christian Hayter  2010-06-24 11:49:39

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?