StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POParameterized SQL in FROM clause
text
Body
copied!<p>Using <code>OleDbCommand</code>. I can add SQL parameters and thus keep the query safe from SQL-injection, but is there a way to do this within the <code>FROM</code> cluase.See below</p> <p><strong>THIS WORKS</strong></p> <pre><code>query = "Select * From Company Where @param = 1"; OleDbCommand Command = new OleDbCommand(query, sqlConnStr); DataTable Table = new DataTable(); DataSet dataSet = new DataSet(); Table = null; //Add Parameters Command.Parameters.AddWithValue("param", "ID"); Command.ExecuteNonQuery(); adapter.SelectCommand = Command; adapter.Fill(dataSet); Table = dataSet.Tables[0]; </code></pre> <p>it returns a nice table with the wonderful row where id = 1</p> <p><strong>BUT</strong></p> <p>I am looking for something like this, note the FROM CLAUSE</p> <pre><code>query = "Select * From @tableName Where @param = 1"; OleDbCommand Command = new OleDbCommand(query, sqlConnStr); DataTable Table = new DataTable(); DataSet dataSet = new DataSet(); Table = null; //Add Parameters Command.Parameters.AddWithValue("param", "ID"); Command.Parameters.AddWithValue("tableName", "Company"); Command.ExecuteNonQuery(); adapter.SelectCommand = Command; adapter.Fill(dataSet); Table = dataSet.Tables[0]; </code></pre> <p>The DBMS keeps returning with <code>"Error in From clause"</code></p> <p>PS everything is spelled correctly - I triple checked</p> <hr> <p><em><strong>To All - Thanks but Alas i shall stick to just Parameterized SQL. I don't like <code>Dynamic SQL</code> One BIT</em></strong></p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload