Table name and table field on SqlParameter C#?

by

If you are worried about SQL injection, the SqlCommandBuilder class (and other DB specific versions of DbCommandBuilder) have a function called QuoteIdentifier that will escape your table name properly.

var builder = new SqlCommandBuilder();
string escTableName = builder.QuoteIdentifier(tableName);

Now you can used the escaped value when building your statement and not have to worry about injection- but you should still be using parameters for any values.

More Related Contents:

  1. How do parameterized queries help against SQL injection?
  2. What is the syntax for an inner join in LINQ to SQL?
  3. Read SQL Table into C# DataTable
  4. Is it necessary to manually close and dispose of SqlDataReader?
  5. DropdownList DataSource
  6. Code to validate SQL Scripts
  7. Does using parameterized SqlCommand make my program immune to SQL injection?
  8. Executing query with parameters
  9. C# Version Of SQL LIKE
  10. Use linq to generate direct update without select
  11. SqlConnection.Close() inside using statement
  12. Retrieve an object from entityframework without ONE field
  13. Join and Include in Entity Framework
  14. Why is a SQL float different from a C# float
  15. Get affected rows on ExecuteNonQuery
  16. Sql Bulk Copy/Insert in C#
  17. Check if a SQL table exists
  18. Issues Doing a String Comparison in LINQ
  19. Passing datatable to a stored procedure
  20. Use SQL Server time datatype in C#.NET application?
  21. Generating sql code programmatically
  22. Do we have transactions in MS-Access?
  23. Is SqlConnection.Close() need inside a Using statement?
  24. How costly is .NET reflection?
  25. Best way to compare two complex objects
  26. .NET Memory issues loading ~40 images, memory not reclaimed, potentially due to LOH fragmentation
  27. Printing to a client printer from a web app
  28. Difference between IEnumerable Count() and Length
  29. Best way to update LINQ to SQL classes after database schema change
  30. Can’t await async extension method

Leave a Comment