Possible Duplicate: Sanitize table/column name in Dynamic SQL in .NET? (Prevent SQL injection attacks)

Question

0

Editorial Team

Asked: June 16, 20262026-06-16T02:00:57+00:00 2026-06-16T02:00:57+00:00

Possible Duplicate: Sanitize table/column name in Dynamic SQL in .NET? (Prevent SQL injection attacks)

0

Possible Duplicate:
Sanitize table/column name in Dynamic SQL in .NET? (Prevent SQL injection attacks)

I have a query like so:

"SELECT * FROM MyTable_" + myID + " WHERE variable = @variable";

The SQL Parameterization works with variables, but how do I get it to work with table names? myID is an int I get passed in and changed (can be converted to string), but how do I protect against sql injections here?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-16T02:00:58+00:00

I question why you are doing this, but you can look at sys.tables for a conclusive whitelist.

DECLARE @TableName VARCHAR(100) = 'Table to Look for';
DECLARE @Exists BIT = ( SELECT CAST( COUNT(1) AS BIT ) FROM sys.tables WHERE name = @TableName AND type = 'U' );

You could parameterize the initial input, but the whitelist approach is still important. Otherwise, a malicious user could pass any valid table name in the entire database and the query would run against it (assuming they had SELECT permissions).

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Possible Duplicate: Sanitize table/column name in Dynamic SQL in .NET? (Prevent SQL injection attacks)

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply