lapucca
asked on
sql Parameter error
Hi, I'm using asp.net 3.5 and C#
Please see attached screen shot. Here is my code
thank you.
Please see attached screen shot. Here is my code
thank you.
public DataSet SelectFromTables(List<string> tableNames)
{
DataSet ds = new DataSet();
foreach (string tableName in tableNames)
{
SelectFromATable(tableName, ds);
}
return ds;
}
private void SelectFromATable(string tableName, DataSet ds)
{
string query = "select * from @tableName";
SqlCommand cmd = new SqlCommand(query);
cmd.Parameters.Add(@tableName, SqlDbType.NVarChar);
cmd.Parameters["@tableName"].Value = tableName;
FillDataSet(cmd, tableName, ds);
}
private void FillDataSet(SqlCommand cmd, string tableName, DataSet ds)
{
SqlConnection con = new SqlConnection(connectionString);
cmd.Connection = con;
SqlDataAdapter adapter = new SqlDataAdapter(cmd);
try
{
con.Open();
adapter.Fill(ds, tableName);
}
finally
{
con.Close();
con.Dispose();
}
}
ado-error.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
try this way-
private void SelectFromATable(string tableName, DataSet ds)
{
string query = "select * from " + tableName;
SqlCommand cmd = new SqlCommand(query);
/*cmd.Parameters.Add("@tableName", SqlDbType.NVarChar);
cmd.Parameters["@tableName"].Value = tableName;*/
FillDataSet(cmd, tableName, ds);
}
ASKER
Thank you. I want to use cmd parameters to avoid sql injection.
change the function like this
private void SelectFromATable(string tableName, DataSet ds)
{
string query = "select * from " + tableName;
SqlCommand cmd = new SqlCommand(query);
FillDataSet(cmd, tableName, ds);
}