0

The following works:

var s = string.Format("drop table {0};", tableName);
context.Database.ExecuteSqlCommand(s);

But to avoid injection I'm trying to use the parameter version

context.Database.ExecuteSqlCommand(@"drop table {0};", tableName);

however this is giving me an error "Incorrect syntax near '@p0'."

I've tried ? as well, but I get similar results.

Improve this question
2
  • What is the source of tableName? and what is the reason for this requirement? Commented Jan 24, 2014 at 23:42
  • This is SQL injection. Commented Jan 26, 2014 at 15:05

1 Answer 1

Reset to default
1

The table name can't be parameterised.

To avoid injection the best you can do is emulate the TSQL QUOTENAME function. Ensure the table name is no longer than 128 characters. Wrap it in [] and replace any embedded ] with ]].

Executing a DROP TABLE based on arbitrary user input sounds highly unusual/problematic in itself though.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.