0

im trying to create a table with the name of a dynamically retrieved value

here is the code

 string nok="";
        while (reader.Read())
            {
                noo = reader.GetInt32(3);
                nok = noo.ToString();
                MessageBox.Show(noo.ToString());
            }
        con.Close();
            var commandStr = "If not exists (select name from sysobjects where name = C"+nok+") CREATE TABLE C"+nok+"(A char(50),B char(50),C char(50),D char(50),E char(50),F char(50),G char(50),H char(50),I char(50),J char(50),K char(50),L char(50),M char(50),N char(50),O char(50))";
            MessageBox.Show(commandStr);   
        con.Open();    
        using (SqlCommand command = new SqlCommand(commandStr, con))
                command.ExecuteNonQuery();

but im getting an error invalid column name with that dynamic value

Improve this question
3
  • 4
    The SQL is not valid. C3 in name = C3 should at least be enclosed in quotes (ie name = 'C3'). Commented Oct 1, 2014 at 15:40
  • thanks man got it im getting incorrect syntax near that variable error "If not exists (select name from sysobjects where name = 'C"+nok+"') CREATE TABLE 'C"+nok+"'(A char(50),B char(50),C char(50),D char(50),E char(50),F char(50),G char(50),H char(50),I char(50),J char(50),K char(50),L char(50),M char(50),N char(50),O char(50))"; Commented Oct 1, 2014 at 15:43
  • 1
    See David's answer for your new error Commented Oct 1, 2014 at 15:50

5 Answers 5

Reset to default
3

You didn't wrap the string in quotes.

When referencing the table as an identifier, quotes aren't needed. Because it's an object name:

... CREATE TABLE C"+nok+"(A char(50), ...

becomes:

... CREATE TABLE C1(A char(50), ...

But when referencing the table's name as a value in the WHERE clause, it isn't an object identifier. It's a column value. The name column holds string values, so it needs to be compared with a string:

... where name = 'C"+nok+"') CREATE ...

becomes:

... where name = 'C1') CREATE ...
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

@JP1016: Glad I could help! I didn't go into detail in my answer regarding the SQL injection vulnerability, mostly because in this specific case the risk seems a bit low. (Since the value originates as an integer.) But the risk still exists and I highly recommend reading up on the subject of SQL injection and how to guard against it.
2

The name of the table schould be between 'name'

var commandStr = "If not exists (select name from sysobjects where name = 'C"+nok+"') CREATE TABLE C"+nok+"(A char(50),B char(50),C char(50),D char(50),E char(50),F char(50),G char(50),H char(50),I char(50),J char(50),K char(50),L char(50),M char(50),N char(50),O char(50))";

Easier way to check if a table/object is present

IF OBJECT_ID('C" + nok + "') IS NULL CREATE TABLE ...
Improve this answer

Comments

2

The problem is here:

select name from sysobjects where name = C"+nok+"

When you run this in oracle the statement executed will be:

select name from sysobjects where name = CWHATEVER

Since CWHATEVER is not in quotes it will be considered a column name instead of a string value. For this to work it needs to be in single quotes:

select name from sysobjects where name = 'C"+nok+"'

However, this opens you up to SQL Injection. I would strongly advise you to use sql parameters instead.

Improve this answer

2 Comments

So you tell him the wrong way to fix it in detail, but then conclude with "use SQL parameters instead?"
@RobertHarvey Added a link to an example.
1

The value needs single quotes around it:

... (select name from sysobjects where name = 'C"+nok+"') ...
Improve this answer

Comments

1

You shouldn't just add 'nok' into your SQL statement. You need to use a parameter. Try something like this. I just took a small snippit:

commandStr = "if not exists (select name from sysobjects where name = 'c@nok')";

And then later, when you have the command text, replace the parameter:

command.Parameters.AddWithValue("@nok", nok);
Improve this answer

7 Comments

This is not valid SQL. It would work with ... where name = 'C' + @nok
Really? I have a c# application that has something like this: SELECT * FROM projects WHERE name = @name and it works. That's what I used as reference. Perhaps both would work? Or is the difference that I'm not concatenating anything?
The difference is c@nok is sent to the SQL server for processing. @name in your example is fine as it is interpreted as a query parameter. c@nok is interpreted as a column.
I understand. @Vulcronos explained that pretty well. Thanks for the heads up. I'll edit the answer, even though this one is not best.
Thanks. I think I made a flaw in thinking that c@param was special and not just "give me the value 'C' plus my parameter". D'OH
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.