0

This must be very simple but I can't figure it out, or maybe it is not possible.

I have the next function:

private static bool createDB(SqlConnection dbConn, string dbName)
{
    string sqlString = "CREATE DATABASE @dbname";
    using (dbConn)
    {
        using (SqlCommand cmd = new SqlCommand(sqlString, dbConn))
        {
            cmd.Parameters.AddWithValue("@dbname", dbName);
            cmd.CommandType = CommandType.Text;
            dbConn.Open();
            try
            {
                cmd.ExecuteNonQuery();
                MessageBox.Show("Se creo la DB");
                return true;
            }
            catch (Exception ex)
            {
                MessageBox.Show("No se creo la DB");
                return false;
            }
            finally
            {
                //dbConn.Close();
            }
        }
    }
}

But apparently the @dbname is not getting the value, dbName does gets the name I want when I call it, but the exception says incorrect syntax near '@dbname'.

I'm new to C#, please be nice :) I got this from many other posts with prepared statements, but I couldn't find any with a CREATE DATABASE, but I'm assuming this should be very similar.

Improve this question

3 Answers 3

Reset to default
3

You aren't allow to do that. Database names and field names will not work this way.

string sqlString = "CREATE DATABASE " + dbname";

Only parameters are allow. Example

string sqlString = "update test set myField = @myVal"

you can then use

cmd.Parameters.AddWithValue("@myVal", yourVar);

You also don't need to add @ in Parameters.AddWithValue as it's just implied already.

You always want to add parameters with Parameters.AddWithValue to avoid people from escaping and performing sql injection.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

You don't need to use SqlParameters for this, just add the dbName variable to your command text.

private static bool createDB(SqlConnection dbConn, string dbName)
{
    string sqlString = "CREATE DATABASE " + dbname;
    using (dbConn)
    {
        using (SqlCommand cmd = new SqlCommand(sqlString, dbConn))
        {
            cmd.CommandType = CommandType.Text;

            dbConn.Open();
            try
            {
                cmd.ExecuteNonQuery();
                MessageBox.Show("Se creo la DB");
                return true;
            }
            catch (Exception ex)
            {
                MessageBox.Show("No se creo la DB");
                return false;
            }
            finally
            {
                //dbConn.Close();
            }
        }
    }
}

As a side note I wouldn't put a messagebox (I assume this is test code) in a CRUD method like this not to mention this leaves the db connection open until the messagebox is acknowledged.

Improve this answer

1 Comment

Sorry man, your answer didn't explain anything before, that's why I marked Tsukasa answer as the answer, and yes, my messageboxes are only for testing purpose. But I did marked it as useful, thanks.
2

If you must "paramertize" the database name, then I'd suggest trying something like this...

string sqlString = string.Format("CREATE DATABASE {0}", dbName.Trim().Replace(" ",""));

It will also help guard against SQL injection, help not prevent, but at least you'd be ok with the littlebobbytables exploits.

Improve this answer

2 Comments

tough crowd... didn't even get a bump for the little bobby tables reference?
Lol, little bobby tables was awesome.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.