1

I am getting the following error:

An object or column name is missing or empty. For SELECT INTO statements, verify each column has a name. For other statements, look for empty alias names. Aliases defined as "" or [] are not allowed. Add a name or single space as the alias name.

For the query show below:

if (comboBox1.SelectedIndex > -1) {

    // comboBox1.UpdateLayout();

    SqlCom.CommandText = "select  distinct  table_name from [" +comboBox1.Text + "].information_schema.columns c inner join [" + comboBox1.Text + "].sys.tables t on c.table_name = t.name order by table_name";

    using (SqlDR = SqlCom.ExecuteReader()) {

        comboBox2.Items.Clear();

        while (SqlDR.Read()) {

            comboBox2.Items.Add(SqlDR.GetString(0));}

        }
}

Any idea what the problem is here?

I fill combobox1 whit : `SqlCom.CommandText = "select * from sys.databases where database_id > 4 order by name"; This works ok

Dani Dărăban
  • 23
  • 2
  • 13
  • 3
    please, use parameterized queries http://stackoverflow.com/q/5468425/791952 – Nikita Silverstruk Aug 21 '13 at 16:30
  • 1
    post your query after filling in the values from comboboxes – Ehsan Aug 21 '13 at 16:31
  • Put a breakline on `using` and check how your query looks like. Also, it clearly says, `Aliases defined as "" or [] are not allowed` and you have both [ and ]. – Nikita Silverstruk Aug 21 '13 at 16:32
  • 1
    I'd say there are numerous problems. SQL Injection, improperly handling unmanaged resources (ie: missing `USING` clauses for the `SqlCommand` object), no error handling.... However, none of those are the particular issue you are asking about. Do as No One said and post the actual query that was generated. – NotMe Aug 21 '13 at 16:34
  • Have you tried this with SSMS? – Sriram Sakthivel Aug 21 '13 at 16:35
  • @NikitaSilverstruk: as far as I know, you can't use parameters as placeholders for database object names like the `FROM` part? @ChrisLively: This is tagged WPF. If you can change the combobox item `.Text` value on your machine to attempt a SQL injection (you have debugging rights), you can just as well edit the SQL `.CommandText` property. I fail to see where the security issue is. Once you are inside the safe side of the airtight hatchway, everything goes. – jods Aug 21 '13 at 17:07
  • @jods: The location of the code is immaterial. What really matters here is having the discipline to be consistent and do things the right way. The attitude of "everything goes" once inside a supposedly "airtight hatchway" leads to not doing things correctly when you are outside of that *supposedly* secure zone. – NotMe Oct 08 '13 at 23:19
  • @ChrisLively: agreed, things should generally be done in a consistent, safe way. That said, strictly speaking this code is not a security vulnerability. So a better comment could have been about the actual question. Now out of curiosity: how would you change this code? Parameters can't be used for SQL table names, so concatenation is the only way. You need to validate the string you concatenate, which is fine on a web server, but meaningless in this context as the validation can be hacked just as well as the combobox value itself. Your take on this? – jods Oct 09 '13 at 10:00
  • @jods: Remove the DB qualifier from the query entirely. Instead, construct a sqlconnection object with the selected DB name. If they have compromised the selection box a connection attempt would fail. – NotMe Oct 09 '13 at 16:00
  • @ChrisLively: I read a bit quickly and did not notice that the only part that gets replaced is not the table name but the db name, which can indeed easily be omitted from the query. – jods Oct 09 '13 at 23:33

2 Answers2

2

As you mentioned in one of the comments, the actual query is:

select distinct table_name 
from .information_schema.columns c 
inner .sis.tables t 
on c.table_name = t.name order by table_name

This means that both of your combobox values are empty. Explore where you loose the value and you will get your answer.

Nikita Silverstruk
  • 1,097
  • 1
  • 20
  • 42
  • So i runed this sql command in sql : select distinct table_name from DB1.information_schema.columns c inner join DB1.sys.tables t on c.table_name = t.name order by table_name and it works fine but i stil cant figure it out where i am losing the combobox content :| – Dani Dărăban Aug 21 '13 at 18:09
  • 1
    I have never used WPF comboBoxes but if I am not mistaken, you would have to use `SelectedValue` instead of `Text`, just like in a `DropDownList` or a `ListBox`. – Nikita Silverstruk Aug 21 '13 at 18:20
1

So if I read this right...

Combo Box 1 is a list of database names...

Combo Box 2 is a list of table names...

You're trying to look-up a list of tables for a given database to populate Combo Box 2, right? If so...

  1. Why the joined tables in your query? And why bother with table aliases with such a short query? Why not just select a list of tables from sys.tables?
  2. Parameters Parameters Parameters, as your commentators have already said
Chains
  • 12,541
  • 8
  • 45
  • 62
  • This program was built in Winforms C# alredy and is working fine, i wanted to include it in a wpf aplication... – Dani Dărăban Aug 21 '13 at 17:11
  • Combobox1 is populated whit the names of all databases but it uploads a list of tables that arent in that database : MSreplication_options, spt_fallback_db,spt_fallback_dev,spt_fallback_usg,spt_monitor – Dani Dărăban Aug 21 '13 at 17:44