• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 230
  • Last Modified:

sql Parameter error

Hi, I'm using asp.net 3.5 and C#
Please see attached screen shot.  Here is my code
thank you.
public DataSet SelectFromTables(List<string> tableNames)
    {
        DataSet ds = new DataSet();
        foreach (string tableName in tableNames)
        {
            SelectFromATable(tableName, ds);
        }
        return ds;
    }

    private void SelectFromATable(string tableName, DataSet ds)
    {
        string query = "select * from @tableName";
        SqlCommand cmd = new SqlCommand(query);
        cmd.Parameters.Add(@tableName, SqlDbType.NVarChar);
        cmd.Parameters["@tableName"].Value = tableName;
        FillDataSet(cmd, tableName, ds);
    }

    private void FillDataSet(SqlCommand cmd, string tableName, DataSet ds)
    {
        SqlConnection con = new SqlConnection(connectionString);
        cmd.Connection = con;
        SqlDataAdapter adapter = new SqlDataAdapter(cmd);
        try
        {
            con.Open();
            adapter.Fill(ds, tableName);

        }
        finally
        {
            con.Close();
            con.Dispose();
        }
    }

Open in new window

ado-error.jpg
0
lapucca
Asked:
lapucca
1 Solution
 
Pratima PharandeCommented:


change the function like this

private void SelectFromATable(string tableName, DataSet ds)
    {
        string query = "select * from " + tableName;
        SqlCommand cmd = new SqlCommand(query);
         FillDataSet(cmd, tableName, ds);
    }
0
 
crysallusCommented:
Try changing this:

cmd.Parameters.Add(@tableName, SqlDbType.NVarChar);

Open in new window

to this:

cmd.Parameters.Add("@tableName", SqlDbType.NVarChar);

Open in new window

0
 
Rikin ShahMicrosoft Dynamics CRM ConsultantCommented:
try this way-
 
private void SelectFromATable(string tableName, DataSet ds)
    {
        string query = "select * from " + tableName;
        SqlCommand cmd = new SqlCommand(query);
        /*cmd.Parameters.Add("@tableName", SqlDbType.NVarChar);
        cmd.Parameters["@tableName"].Value = tableName;*/
        FillDataSet(cmd, tableName, ds);
    }

Open in new window

0
 
lapuccaAuthor Commented:
Thank you.  I want to use cmd parameters to avoid sql injection.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now