0

I was working on VB.NET and am now switching to C#. I was using the following code to use table as variable from combo box to fill a DataGrid:

Dim strTAB as a String

dtTAB1 = New DataTable  
strTAB = cboDTA_TBL.Text 

adpPRJ = New SqlDataAdapter("Select * from """ & strTAB & """", conPRJ_NET)

'conPRJ_NET is connection to connect MsSQL Database on server.

adpPRJ.Fill(dtTAB1)

dgFIN_TAB.DataSource = dtTAB1

I am looking for the C# equivalent of """ & strTAB & """.

This code works perfectly in vb.net, no errors.

Can anyone help?

ADyson
  • 57,178
  • 14
  • 51
  • 63
WamanIna
  • 11
  • 2
  • 2
    so are you looking for a concatenation operator in c#? It is **+** but sometimes you might have to convert to string, first. I would suggest renaming the title. – Dr Phil Mar 22 '19 at 11:15
  • 2
    This code is a [SQL injection](http://bobby-tables.com) disaster waiting to happen. – ADyson Mar 22 '19 at 11:19
  • I have already tried with changing & to + in C#. But its not working. – WamanIna Mar 22 '19 at 11:19
  • Anyway the answer to your question can be found here, I expect: https://learn.microsoft.com/en-us/dotnet/csharp/how-to/concatenate-multiple-strings . Did you even try to google this? It's a pretty basic language concept. It's not quite as simple as just replacing & with +, you've got the escaping of the quote marks to contend with as well. But if you fixed your SQL injection vulnerability you wouldn't have to deal with that. I worry that you appear to be letting the user control almost the entire SQL statement being executed. That is a serious hole in your code. – ADyson Mar 22 '19 at 11:20
  • (N.B. Note that if you're trying to vary the table name being selected, then parameterisation can't actually help you, because you can't parameterise a table name, only a variable/field value. Instead you need to whitelist the table names allowed, to stop users executing arbitrary SQL against your database). – ADyson Mar 22 '19 at 11:22
  • oK, If I have a database of 18 tables and i want to populate data grid from any of these 18 tables upon selection from a Combo Box drop down, how it can be done in C# ??? As the above code is working in vb.net and its very easy to use as well. – WamanIna Mar 22 '19 at 11:28
  • In the simplest case you do it the same way as now, just using C# syntax. But as I mentioned it's not secure. You need to secure in the way I've described (regardless of which language you write the code in). I'm talking about a conceptual issue of security, not a syntax issue. – ADyson Mar 22 '19 at 11:41
  • P.S. Are you aware that there are code converters available (such as this one: http://converter.telerik.com/) which can re-write VB code into C# (and the other way round), and will do 90% of the work for you (sometimes it makes mistakes, but only with more complicated code usually). – ADyson Mar 22 '19 at 11:43

3 Answers3

1

As mentioned, this is a bad design, due to SQL Injection, but here's your answer :

var strTAB = "tableName";
string myString = $"Select * from {strTAB}";
WynDiesel
  • 1,104
  • 7
  • 38
  • @WamanIna. Glad to hear it! Can you please check this as the answer? – WynDiesel Mar 22 '19 at 11:51
  • There is one more option which is working now : string myString = "Select * from " + strTAB; – WamanIna Mar 22 '19 at 11:52
  • Concatenating with a "+" would also work, yes,but is generally frowned upon, and not as easy to read as string interpolation (the {value} syntax I used) – WynDiesel Mar 22 '19 at 11:54
  • @WamanIna. Bit of a long answer, but the short answer is using paramatised SQL. Take a look here -> https://stackoverflow.com/questions/7505808/why-do-we-always-prefer-using-parameters-in-sql-statements – WynDiesel Mar 22 '19 at 11:55
  • @WynDiesel Parameterized SQL is a good general answer, but it doesn't help in this case. It really needs a whitelist of valid table names, or at least validation that the table name only contains letters, numbers, and underscores (and then make sure you put [] around the name). – Bryce Wagner Mar 23 '19 at 18:53
  • @BryceWagner, personally, I wouldn't use dynamic SQL at all. I would rather only use stored procs, or if not that, only use generated code by the DAL. – WynDiesel Mar 23 '19 at 18:59
0

Although, normally you would never concatenate strings to build an Sql statement, you do not need to be concerned about Sql Injection if your combo box DropDownStyle is set to DropDownList. This is essentially "limit to list" but it is NOT the default setting.

The using statements ensure that your database objects are closed and disposed.

I not sure what the the double quotes around the table name are supposed to do but in Sql Server the identifier delimiters are square brackets. ( [ ] )

    private void button1_Click(object sender, EventArgs e)
    {
        string query = "Select * From [" + cboDTA_TBL.Text + "];";
        DataTable dtTAB1 = new DataTable();
        using (SqlConnection conPRJ_NET = new SqlConnection("Your connection string"))
        {
            using (SqlDataAdapter adpPRJ = new SqlDataAdapter(query, conPRJ_NET))
            {
                adpPRJ.Fill(dtTAB1);
            }
        }
        dgFIN_TAB.DataSource = dtTAB1;
    }
Mary
  • 14,926
  • 3
  • 18
  • 27
-2

I use a MySQL command like this:

string db_name= "test";
string db_table = "table";
command.CommandText = "SELECT * FROM " + db_name+ "." + db_table + " WHERE ID = "ID";";
// sometimes you need the: ' around the string-variables
command.CommandText = "SELECT * FROM '" + db_name+ "." + db_table + "' WHERE ID = "ID";";
zeitgeist02
  • 1
  • 1
  • and how is MySQL relevant to a SQL Server question? I agree you've shown the string concatenation syntax for C#, so maybe focus on that (and use the OP's code, not some random bit of yours) in your description instead. Make your answer _relevant_, not a generic copy and paste example – ADyson Mar 22 '19 at 11:42