0

I have a SqlCommand string to create an SqlServer Data table as below:

`string EFTGeneral = @`"CREATE TABLE [EFT.GER2] (
                                [TestOrderName]   VARCHAR(20)  NOT NULL,    
                                [Template]        VARCHAR(50)  NULL,
                                [Purpose]         VARCHAR(100) NULL,
                                [Category]        VARCHAR(50)  NULL,
                                [DateCreated]         DATETIME NULL,
                                [CreatedBy]       VARCHAR(30)  NULL,
                                [TestObjectBatch] VARCHAR(20)  NULL,
                                [LoadDirection]   VARCHAR(2)   NULL,
                                [ElementType]     VARCHAR(10)  NULL,
                                [FatigueTestType] VARCHAR(50)  NULL,
                                [LoadAmplitude]            INT NULL,
                                [LoadStatic]      INT NULL,
                                [UntilBreakage]   VARCHAR(5)   NULL,
                                [NumberOfObject]           INT NULL,
                                [Remarks]         VARCHAR(200) NULL,
                                PRIMARY KEY CLUSTERED([TestOrderName] ASC));";

But I want to create the Table name dynamitically by replace the table name in the above string by the textbox.Text, How can I do it? Thank you very much

Christos
  • 50,311
  • 8
  • 62
  • 97
Nam
  • 1

3 Answers3

0

Normally I would say "don't do it" as inserting user input into your queries opens up the SQL injection vulnerability. The correct way would be to use parameterized queries.

Unfortunatly, parameters can only be used for values, but not for table or column names. So to easily replace the table name in your query you could simply do a Replace() like that:

EFTGeneral = EFTGeneral.Replace("[EFT.GER2]", "[" + textBox.Text + "]");

But you should make sure that textBox.Text is a valid table name and not something like "; DROP TABLE Users --". This answer shows how you can validate the table name.

Community
  • 1
  • 1
René Vogt
  • 40,163
  • 14
  • 65
  • 85
0

Use SqlCommand to dynamically build your query avoiding risks of injection:

string EFTGeneral = @"CREATE TABLE [EFT.@tableName] (
                                [TestOrderName]   VARCHAR(20)  NOT NULL,    
                                [Template]        VARCHAR(50)  NULL,
                                [Purpose]         VARCHAR(100) NULL,
                                [Category]        VARCHAR(50)  NULL,
                                [DateCreated]         DATETIME NULL,
                                [CreatedBy]       VARCHAR(30)  NULL,
                                [TestObjectBatch] VARCHAR(20)  NULL,
                                [LoadDirection]   VARCHAR(2)   NULL,
                                [ElementType]     VARCHAR(10)  NULL,
                                [FatigueTestType] VARCHAR(50)  NULL,
                                [LoadAmplitude]            INT NULL,
                                [LoadStatic]      INT NULL,
                                [UntilBreakage]   VARCHAR(5)   NULL,
                                [NumberOfObject]           INT NULL,
                                [Remarks]         VARCHAR(200) NULL,
                                PRIMARY KEY CLUSTERED([TestOrderName] ASC));";

using (SqlConnection connection = new SqlConnection(yourConnectionString))
{
    using (SqlCommand command = new SqlCommand(EFTGeneral, connection))
    {
        SqlParameter tableNameParam = new SqlParameter("tableName", SqlDbType.Varchar);
        tableNameParam.Value = textBox.Text;
        command.Parameters.Add(tableNameParam);
        command.ExecuteNonQuery();
    }
}
Paulo Amaral
  • 551
  • 4
  • 22
0

Here is my code and now I can create SQL Table name as I want:

try
            {
               string EFTGeneral = @"CREATE TABLE [EFTGNR] (
                                [TestOrderName]   VARCHAR(20)  NOT NULL,    
                                [Template]        VARCHAR(50)  NULL,
                                [Purpose]         VARCHAR(100) NULL,
                                [Category]        VARCHAR(50)  NULL,
                                [DateCreated]         DATETIME NULL,
                                [CreatedBy]       VARCHAR(30)  NULL,
                                [TestObjectBatch] VARCHAR(20)  NULL,
                                [LoadDirection]   VARCHAR(2)   NULL,
                                [ElementType]     VARCHAR(10)  NULL,
                                [FatigueTestType] VARCHAR(50)  NULL,
                                [LoadAmplitude]            INT NULL,
                                [LoadStatic]      INT NULL,
                                [UntilBreakage]   VARCHAR(5)   NULL,
                                [NumberOfObject]           INT NULL,
                                [Remarks]         VARCHAR(200) NULL,
                                PRIMARY KEY CLUSTERED([TestOrderName] ASC));";
                ////

                SqlConnection conn = new SqlConnection(ConnString);
                conn.Open();
                EFTGeneral = EFTGeneral.Replace("[EFTGNR]", "[" + txtbox_testorder.Text + ".GERNERAL]");
                SqlCommand cmd = new SqlCommand(EFTGeneral, conn);
                cmd.ExecuteNonQuery();
                conn.Close();
            }catch(Exception ex)
            {
                MessageBox.Show(ex.Message);
            }
Nam
  • 1