Home/ Questions/Q 7951071
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T02:27:06+00:00

Using OleDbCommand . I can add SQL parameters and thus keep the query safe

  • 0

Using OleDbCommand. I can add SQL parameters and thus keep the query safe from SQL-injection, but is there a way to do this within the FROM cluase.See below

THIS WORKS

query = "Select * From Company Where @param = 1";
OleDbCommand Command = new OleDbCommand(query, sqlConnStr);

DataTable Table = new DataTable();
DataSet dataSet = new DataSet();
Table = null;

//Add Parameters
Command.Parameters.AddWithValue("param", "ID");
Command.ExecuteNonQuery();
adapter.SelectCommand = Command;
adapter.Fill(dataSet);
Table = dataSet.Tables[0];

it returns a nice table with the wonderful row where id = 1

BUT

I am looking for something like this, note the FROM CLAUSE

query = "Select * From @tableName Where @param = 1";
OleDbCommand Command = new OleDbCommand(query, sqlConnStr);

DataTable Table = new DataTable();
DataSet dataSet = new DataSet();
Table = null;

//Add Parameters
Command.Parameters.AddWithValue("param", "ID");
Command.Parameters.AddWithValue("tableName", "Company");
Command.ExecuteNonQuery();
adapter.SelectCommand = Command;
adapter.Fill(dataSet);
Table = dataSet.Tables[0];

The DBMS keeps returning with "Error in From clause"

PS everything is spelled correctly – I triple checked

To All – Thanks but Alas i shall stick to just Parameterized SQL. I don’t like Dynamic SQL One BIT

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You’d have to execute a dynamically concatenated SQL string, which unfortunately would compromise whatever benefits parametrized SQL had afforded you to begin with. See this post.

    DECLARE @SQL varchar(250)
SELECT @SQL = 'Select * From ' + @TableName + ' Where ' + @param + ' = 1'
Exec(@SQL)

    Not advisable, if you can predetermine the table name through some other means instead.

    • 0