I’m not sure if you’re still looking into this, but the DbCommandBuilder
class provides a method QuoteIdentifier
for this purpose. The main benefits of this are that it’s database-independent and doesn’t involve any RegEx mess.
As of .NET 4.5, you have everything you need to sanitize table and column names just using your DbConnection object:
DbConnection connection = GetMyConnection(); // Could be SqlConnection
DbProviderFactory factory = DbProviderFactories.GetFactory(connection);
// Sanitize the table name
DbCommandBuilder commandBuilder = factory.CreateCommandBuilder();
string tableName = "This Table Name Is Long And Bad";
string sanitizedTableName = commandBuilder.QuoteIdentifier(tableName);
IDbCommand command = connection.CreateCommand();
command.CommandText = "SELECT * FROM " + sanitizedTableName;
// Becomes 'SELECT * FROM [This Table Name Is Long And Bad]' in MS-SQL,
// 'SELECT * FROM "This Table Name Is Long And Bad"' in Oracle, etc.
(Pre-4.5, you’ll need some other way to get your DbProviderFactory — maybe from the data provider name in your application configuration or hard-coded somewhere.)