Is there a way to SELECT a database table using a variable?

Question

I tried this statement:

string query = "SELECT question FROM '" + GlobalVariables.dbQCode + "' WHERE [question_code] = '" + GlobalVariables.questionCode + "' ";

and when I run the code it is giving me an exception:

Syntax error in query. Incomplete query clause.

Is there a way where I can use my variable? I want it to work because I want this code to work also:

if (comboBox1.Text == "General Education"){
                GlobalVariables.subjectCode = "GenEd_English";
                GlobalVariables.dbQCode = "Gen_Ed_Question_Items";
                GlobalVariables.dbCCode = "Gen_Ed_Choice_Bank";
                if (comboBox2.Text == "English")
                {
                    GlobalVariables.subjectName = "ENGLISH";
                }
                
}

[What are good ways to prevent SQL injection?](https://stackoverflow.com/questions/14376473/what-are-good-ways-to-prevent-sql-injection) • [SqlCommand Parameters Add vs. AddWithValue](https://stackoverflow.com/questions/21110001/sqlcommand-parameters-add-vs-addwithvalue) — , Jun 23 '21 at 10:32
`FROM " + GlobalVariables.dbQCode + " WHERE` or `FROM [" + GlobalVariables.dbQCode + "]`? — , Jun 23 '21 at 10:33
oh yes that worked, thank you very much, I'm sorry I'm new to SQL statements. Thank you! — tenkyu, Jun 23 '21 at 10:36
@tenkyu especially when you are new, it's _very_ important you carefully read Oliviers links. better learn _now_ how to do it right, than to debug security holes some years later. — Franz Gleichmann, Jun 23 '21 at 11:09
@OlivierRogier - first comment how to prevent SQL injection, second comment here code which is open for sql injection — Rand Random, Jun 23 '21 at 11:35
@RandRandom SQL parameters can't be used for table names, as I know: [SqlParameter does not allows Table name - other options without sql injection attack?](https://stackoverflow.com/questions/17947736/sqlparameter-does-not-allows-table-name-other-options-without-sql-injection-at) and [Table name and table field on SqlParameter C#?](https://stackoverflow.com/questions/3128582/table-name-and-table-field-on-sqlparameter-c) — , Jun 23 '21 at 11:43
I really wonder if such a concatenation is the best way of solving the problem. Why are you trying to select from tables dynamically? — Alejandro, Jun 23 '21 at 13:01
Thank you for your suggestions and the links you've provided, I will read all that, I thank you guys very much. However, this is just for a small school activity. But I really appreciate your concern about my codes, thank you! — tenkyu, Jun 23 '21 at 13:03
@tenkyu Always use SQL *typed* parameters, don't start with a bad habit. — , Jun 23 '21 at 13:04
@Alejandro, our teacher gave us different tables for Questions and Choices with different subtopics, which is weird but I tried to use an if-else so I don't have write to the code repeatedly — tenkyu, Jun 23 '21 at 13:05

score 0 · Accepted Answer · answered Jun 23 '21 at 12:58

Single quotes (') denote string literals. Object names, such as table names, should not be surrounded by quotes:

string query = "SELECT question FROM " + GlobalVariables.dbQCode + " WHERE [question_code] = '" + GlobalVariables.questionCode + "' ";
// Quotes removed here --------------^-----------------------------^

Is there a way to SELECT a database table using a variable?

1 Answers1