SqlParameter does not allows Table name – other options without sql injection attack?

by

Go for a white list. There can only be a fixed set of possible correct values for the table name anyway – at least, so I’d hope.

If you don’t have a white list of table names, you could start with a whitelist of characters – if you restrict it to A-Z, a-z and 0-9 (no punctuation at all) then that should remove a lot of the concern. (Of course that means you don’t support tables with odd names… we don’t really know your requirements here.)

But no, you can’t use parameters for either table or column names – only values. That’s typically the case in databases; I don’t remember seeing one which did support parameters for that. (I dare say there are some, of course…)

More Related Contents:

  1. An unhandled exception of type ‘System.InvalidOperationException’ occurred in System.Data.dll?
  2. Adding multiple parameterized variables to a database in c#
  3. How to connect to database from Unity
  4. SQL WHERE clause matching values with trailing spaces
  5. SqlDataSourceEnumerator.Instance.GetDataSources() does not locate local SQL server 2008 instance
  6. WHERE IN (array of IDs)
  7. ‘datetime2’ error when using entity framework in VS 2010 .net 4.0
  8. How to pass XML from C# to a stored procedure in SQL Server 2008?
  9. Why does the SqlParameter name/value constructor treat 0 as null?
  10. How to execute a stored procedure within C# program
  11. How to get the connection String from a database
  12. Read data from SqlDataReader
  13. Assign null to a SqlParameter
  14. I get a “An attempt was made to load a program with an incorrect format” error on a SQL Server replication project
  15. SQL error: Incorrect syntax near the keyword ‘User’
  16. Entity Framework/Linq to SQL: Skip & Take
  17. SQLException : String or binary data would be truncated
  18. Entity-framework code is slow when using Include() many times
  19. Creating a SQL Server table from a C# datatable
  20. SQL: Update a row and returning a column value with 1 query
  21. Is there an Entity Framework 7 Database-First POCO Generator?
  22. Invalid column name sql error
  23. Keyword Not Supported: Metadata
  24. Why is EF generating SQL queries with unnecessary null-checks?
  25. Know when to retry or fail when calling SQL Server from C#?
  26. How to insert data into SQL Server
  27. How to get efficient Sql Server deadlock handling in C# with ADO?
  28. Cyrillic encoding in C#
  29. Generating sql code programmatically
  30. Accessing System Databases/Tables using LINQ to SQL?

Leave a Comment