How to insert variable inside a Select statement

Question

string table = "City";
string query = "Select * from '"+table+"'";

This gives me error stating incorrect symbol near ".

However,

string query = "Select * from City";

Gives the proper output.

Did you check the output of query? Can you try this - string query = "Select * from "+table; — Abhash Upadhyaya, Nov 24 '15 at 05:59
query = "Select * from " + table; but believe me this is insecure if your table variable is not a literal string. Do not build sql statements concatenating input received from any source. — Oguz Ozgul, Nov 24 '15 at 06:00

score 5 · Answer 1 · answered Nov 24 '15 at 06:08

5

You just this

string query = "Select * from '"+table+"'";

to be replaced by

string query = "Select * from " + table;

Because you Query string is not "Select * from City"; While it is forming "Select * from 'City'";

and thus you getting error

answered Nov 24 '15 at 06:08

Mohit S

13,723
6
34
69

score 3 · Answer 2 · answered Nov 24 '15 at 06:54

3

Best practice would be to use string.format

string table = "City";
string query = string.format("Select * from {0}", table);

answered Nov 24 '15 at 06:54

Madcow69

31
1
2

score 2 · Answer 3 · answered Nov 24 '15 at 06:10

You need to form your query like below.,

string table = "City";

//You don't need to have single quote...

string query = " Select * From " + table;

In order to use Where condition do like below.,

//Where clause only needs single quotes, to define the SQL parameter value in between...

string query = " Select * From " + table + " Where CityId = '" + cityId + "'";

Hope this helps.,

thepirat000 · Answer 4 · 2015-11-24T07:08:24.207

Best-Practice should be not to do this, because it's susceptible to malicious SQL injection.

Anyway, if you have control over the table variable, you should do it as @madcow69 suggested, but I suggest to add the delimiters, so you always have a valid delimited identifier (for example if your table name is "order" or any other SQL reserved word).

string table = "City";
string query = string.format("Select * from [{0}]", table);

But what if table is the following?:

string table = "City]; DROP DATABASE [YourDB";

score 0 · Answer 5 · answered Nov 24 '15 at 06:08

0

You can make it work like this:

string table ="City"
string query = "Select * from "+table;

answered Nov 24 '15 at 06:08

Abhash Upadhyaya

717
14
34

@subhro, if it worked for you then kindly accept it as an answer. – Abhash Upadhyaya Nov 24 '15 at 06:19

score 0 · Answer 6 · answered Nov 24 '15 at 07:03

0

Hope this helps.,

string table = "City";

//You don't need to have single quote...

string query = " Select * From " + table;

answered Nov 24 '15 at 07:03

Coder

240
2
4
20

score 0 · Answer 7 · edited May 23 '17 at 10:31

0

If you're using .NET4.6 you could use the new "composite string formatting" feature introduced with C# 6.0 (read about it here).
this enables you to write your statement like this:

string query = $"Select * from {table}";

However I would strongly recommend not writing queries like that and use sql parameters. this will help you avoid SQL Injection attacks.

edited May 23 '17 at 10:31

Community

1
1

answered Nov 24 '15 at 07:46

Yoav

3,326
3
32
73

How to insert variable inside a Select statement

7 Answers7