What is wrong with my attempt to use EntityFramework to execute a sql statement

Question

The following works:

var s = string.Format("drop table {0};", tableName);
context.Database.ExecuteSqlCommand(s);

But to avoid injection I'm trying to use the parameter version

context.Database.ExecuteSqlCommand(@"drop table {0};", tableName);

however this is giving me an error "Incorrect syntax near '@p0'."

I've tried ? as well, but I get similar results.

What is the source of `tableName`? and what is the reason for this requirement? — Martin Smith, Jan 24 '14 at 23:42

score 1 · Accepted Answer · answered Jan 24 '14 at 23:31

The table name can't be parameterised.

To avoid injection the best you can do is emulate the TSQL QUOTENAME function. Ensure the table name is no longer than 128 characters. Wrap it in [] and replace any embedded ] with ]].

Executing a DROP TABLE based on arbitrary user input sounds highly unusual/problematic in itself though.

What is wrong with my attempt to use EntityFramework to execute a sql statement

1 Answers1