1

I have the following SQL query which takes the header from a file and creates a column with the same name as the header:

SqlCommand createtable = new SqlCommand("CREATE TABLE " + tbXLSTableName.Text + " (" + dc.ColumnName + " varchar(MAX))", myConnection);

It is open for an SQL injection attack so I decided to use parameters like this:

string strCreateTable = "CREATE TABLE @TableNameCreateXLS (" + dc.ColumnName + " varchar(MAX))";

SqlCommand createtable = new SqlCommand(strCreateTable, myConnection);      
createtable.Parameters.AddWithValue("TableNameCreateXLS", tbXLSTableName.Text);

dc is a DataColumn object.

I am getting the following error:

Incorrect syntax near @TableNameCreateXLS

How can I resolve the error?

Improve this question
8
  • 3
    As I said in a comment on your previous (now-deleted) question: "you usually can't parameterize table and column names." Commented Jun 20, 2014 at 15:50
  • It was deleted by accident and I lost the page to undelete. So use the old command that I was using? Commented Jun 20, 2014 at 15:50
  • 2
    Yes. But validate the heck out of the value first - ideally restricting it really heavily. (In cases where you want to select from a number of tables, use a whitelist - this doesn't work here, of course.) Commented Jun 20, 2014 at 15:51
  • validate the heck out of the value first :-) :-) :-) Commented Jun 20, 2014 at 15:53
  • SIGH that's just not kewl. Commented Jun 20, 2014 at 15:53

3 Answers 3

Reset to default
7

You can't use Parameters for Table Name and Column Names, but you can use SqlCommandBuilder.QuoteIdentifier method to escape their values. Like:

SqlCommandBuilder sqlBuilder = new SqlCommandBuilder();
string columnName = dc.ColumnName;//"somecolumn"
string TableNameCreateXLS = "someTable";
string escapedColumnName = sqlBuilder.QuoteIdentifier(columnName);
string escpaedTableName = sqlBuilder.QuoteIdentifier(TableNameCreateXLS);

string strCreateTable = string.Format("CREATE TABLE {0} ({1} varchar(MAX))",escpaedTableName, escapedColumnName);
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

Unfortunately, you cannot use parameters for table names. I usually see this being done when people want to query a dynamic table, and in those cases I say the safe thing to do is query the table of table names using a parameter, but in your case it doesn't work.

So aside from sanitizing the table name input yourself, I don't think you have any in-SQL way to do this safely. If creating a table dynamically is unavoidable like this, then at least be sure to sanitize the first.

Improve this answer

3 Comments

What would be the best way to sanitize the textbox for the table name. Any SQL method?
@SiKni8 Admittedly I don't know of a good way to do it manually. The almost universal advice is to use parameterized queries, but here it really doesn't work. At the very least remove ' (apostrophes). Are you sure you want to give the user direct access, with a textbox, to create any table they want?
Well the good news is the application will be used internally within our group. The bad news is, anyone can be evil at any time ;). I only allow ALPHANUMERIC for the textbox so I should be fine.
0

Use this and see if it works: 

createtable.Parameters.AddWithValue("@TableNameCreateXLS", tbXLSTableName.Text);
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.