Solved

sql Parameter error

Posted on 2011-03-24
4
219 Views
Last Modified: 2012-05-11
Hi, I'm using asp.net 3.5 and C#
Please see attached screen shot.  Here is my code
thank you.
public DataSet SelectFromTables(List<string> tableNames)
    {
        DataSet ds = new DataSet();
        foreach (string tableName in tableNames)
        {
            SelectFromATable(tableName, ds);
        }
        return ds;
    }

    private void SelectFromATable(string tableName, DataSet ds)
    {
        string query = "select * from @tableName";
        SqlCommand cmd = new SqlCommand(query);
        cmd.Parameters.Add(@tableName, SqlDbType.NVarChar);
        cmd.Parameters["@tableName"].Value = tableName;
        FillDataSet(cmd, tableName, ds);
    }

    private void FillDataSet(SqlCommand cmd, string tableName, DataSet ds)
    {
        SqlConnection con = new SqlConnection(connectionString);
        cmd.Connection = con;
        SqlDataAdapter adapter = new SqlDataAdapter(cmd);
        try
        {
            con.Open();
            adapter.Fill(ds, tableName);

        }
        finally
        {
            con.Close();
            con.Dispose();
        }
    }

Open in new window

ado-error.jpg
0
Comment
Question by:lapucca
4 Comments
 
LVL 39

Expert Comment

by:Pratima Pharande
ID: 35212817


change the function like this

private void SelectFromATable(string tableName, DataSet ds)
    {
        string query = "select * from " + tableName;
        SqlCommand cmd = new SqlCommand(query);
         FillDataSet(cmd, tableName, ds);
    }
0
 
LVL 8

Accepted Solution

by:
crysallus earned 500 total points
ID: 35212825
Try changing this:

cmd.Parameters.Add(@tableName, SqlDbType.NVarChar);

Open in new window

to this:

cmd.Parameters.Add("@tableName", SqlDbType.NVarChar);

Open in new window

0
 
LVL 19

Expert Comment

by:Rikin Shah
ID: 35212826
try this way-
 
private void SelectFromATable(string tableName, DataSet ds)
    {
        string query = "select * from " + tableName;
        SqlCommand cmd = new SqlCommand(query);
        /*cmd.Parameters.Add("@tableName", SqlDbType.NVarChar);
        cmd.Parameters["@tableName"].Value = tableName;*/
        FillDataSet(cmd, tableName, ds);
    }

Open in new window

0
 

Author Closing Comment

by:lapucca
ID: 35212840
Thank you.  I want to use cmd parameters to avoid sql injection.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

A quick way to get a menu to work on our website, is using the Menu control and assign it to a web.sitemap using SiteMapDataSource. Example of web.sitemap file: (CODE) Sample code to add to the page menu: (CODE) Running the application, we wi…
Entity Framework is a powerful tool to help you interact with the DataBase but still doesn't help much when we have a Stored Procedure that returns more than one resultset. The solution takes some of out-of-the-box thinking; read on!
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now