-5

Problem is in select query it's not working exception occur near textBox1.Text :

private void button1_Click(object sender, EventArgs e)
        {
            try
            {
                con.Open();
                SqlDataAdapter sda = new SqlDataAdapter("select * From '"+textBox1.Text+"'", con);
                sda.SelectCommand.ExecuteNonQuery();
                DataTable dtable = new DataTable();
                sda.Fill(dtable);
                BindingSource bSource = new BindingSource();
                bSource.DataSource = dtable;
                dataGridView1.DataSource = bSource;
                sda.Update(dtable);
                con.Close();
            }
            catch (Exception ex)
            {
                MessageBox.Show(ex.Message);
            }
        }
Patrick Weiß
  • 436
  • 9
  • 23
Hamza Latif
  • 1
  • 4
  • 3
    **warning** your code is extremely vulnerable to sql injection attack! – Daniel A. White Jan 17 '16 at 13:22
  • You problem statement is not clear. You are getting an exception but nowhere do you say what exception or do you give any exception details. Edit your post to include the exception. – TT. Jan 17 '16 at 13:26
  • Please read [ask] and share the exact error and your research. Your query ends up being `select * from 'tablename'` , which is not valid SQL. You may want to check [Table name and table field on SqlParameter C#?](http://stackoverflow.com/questions/3128582/table-name-and-table-field-on-sqlparameter-c). – CodeCaster Jan 17 '16 at 13:26
  • i vant to pass the name of table on run time through textbox – Hamza Latif Jan 17 '16 at 13:29
  • @HamzaLatif: `"i vant to pass the name of table on run time through textbox"` - If that's the requirement you have to meet, that's fine. But be aware that this approach allows your users to execute *any code they want* on the server. Users can easily modify or delete the database in any way. As for your actual question, nobody here can help you unless you describe the problem. We can't see your screen from here, so we only have the information that you provide. – David Jan 17 '16 at 13:34
  • i want to open any table of database by passing name of table through textBox – Hamza Latif Jan 17 '16 at 13:37
  • @HamzaLatif: Um, ok. But if you have an actual question about that, be sure and let us know so we can help you. Just repeating your requirements to us again isn't a question. If you're getting an error, *read the error message*. If you have a question about your code, *ask it*. – David Jan 17 '16 at 13:43

1 Answers1

1

Take a look at your query. Problem is you are quoting your table name and so it's considered as string literal rather a table name

"select * From '"+textBox1.Text+"'"
               ^... Here

Again, you are using ExecuteNonQuery() instead of ExecuteReader()

Your query is prone to SQL Injection and I don't think you can pass table name as parameter to DB. If this is your real requirement then consider using a Dynamic Query rather. A sample using s stored procedure like

create procedure usp_selectData(@tblname nvarchar(100))
as begin
declare @sql nvarchar(200);
if (exists (select * from information_schema.tables 
             where table_name = @tblname))
begin
    set @sql = 'select * from ' + @tblname;
    exec(@sql);
end
end
Rahul
  • 76,197
  • 13
  • 71
  • 125