0

Explaining with my code will be infinitely easier, so;

    private void dtSelectorLoad_Click(object sender, RoutedEventArgs e)
    {
        MessageBox.Show(dtSelector.SelectedValue != null ? dtSelector.SelectedValue.ToString() : "I have 0 selected items!");
        var query =
        from obj in dataEntities.someTable
        select obj;
        primaryDataGrid.ItemsSource = query.ToList();

    }

Essentially, based on the value of the dtSelector.SelectedValue.ToString(); I need to execute the from obj in dataEntities.someTable where someTable is the value of dtSelector.SelectedValue.ToString();.

How can I achieve this? Banging my head against the wall here. End-game is that when the user clicks the button, it populates a dataGrid with data from the table currently selected in the listBox.

Improve this question
2
  • What is dataEntities? Is it an Entity Framework DbContext and dtSelector.SelectedValue determines the DbSet to query? Commented May 12, 2020 at 15:09
  • Yes, exactly this. dtSelector.SelectedValue is a listBox that I have populated with all table names within the entity db model. I simply want users to be able to choose from the dropdown what table they want to query, click the button, and let it load that table into the datagrid. Commented May 12, 2020 at 17:30

1 Answer 1

Reset to default
2

The reason why it seems impossible (it isn't) is because what you're doing goes against every single programming and database principle. In particular, relational databases are made to be queried on field condition, not split between multiple tables with identical schemas, and I'll be honest with you, if you did that working for me, you'd be fired by the end of the day.

However, if you insist on this you have two options:

  1. Reflection gives you access to properties based on their name. Congratulations, you brought SQL injection to WinForms in general.

  2. A simple switch statement on all possible values, which forwards the request to the correct table. Of course this isn't exactly scalable to new values, since you have to recompile your code to add the new values, but at this point we're throwing any kind of professionalism out the window.

Improve this answer
Sign up to request clarification or add additional context in comments.

12 Comments

Although I agree with this answer (and I've +1'ed), again (like the other -now deleted- answer), immediately assuming SQL injection (or EF injection in this case ;-) ) just because the table is variable is -wrong- ... it's open to injection -if the variable is modifiable by user entry-, but other than it comes from a "SelectedValue" (which could be from a constant list), we don't know that from the question. Again, the rest of the answer is totally +1-able :-)
You misread what I wrote, because neither one of those 2 points are open to Sql injection. The first point says that if you use reflection based on the non-sanitated input string you can access any property available in the EF context -- you still can't inject anything, but you can access otherwise hidden properties. And in the second point, the input is sanitated by the very nature of the hand-written switch statement.
oh, yeah, definitely. I DO get the point. I was talking specifically about point 1... which yes, applies if the name is user-input and/or unsanitized, but nowhere in the question says it's user-input, and nowhere in the answer says it must be sanitized, so someone else could think otherwise when reading this (I totally get why you wrote it, but it could be unclear to someone who doesn't know about SQL injections and could think that just by using reflection you are open to SQL Injection (which you aren't)
I appreciate the answer - but it seems some what confrontational. The reason I ask this question is because I don't know, if I knew the most secure, most professional approach to this, I wouldn't be asking. So clearly option 2 seems more appropriate, but equally, I don't want to recompile everytime a new table is added, is there a way to do this without the caveats you had mentioned? It's nice to know you would fire me, but I am not a professional programmer, merely someone with an interest trying to learn.
@PnP if you want to dynamically load different tables -with different schemas- (maybe just to show, not to do anything on them), then maybe in this case, Entity Framework (which is an ORM with strict type mapping) is not the best tool for the job, and you'd be better off constructing SQL sentences and using Dapper or similar to map them to dictionaries (or build json documents with no schema). Unless there's something common on the schema (where you can base your types on), EF and Linq seem to me -probably, and without knowing your project- just bad choices here
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.