1

I have a database with tables that are created by the user, this obviously means that I don't know what the tables are called before so I can't access them like others where I could simply do:

"SELECT FROM table_name"

To solve this the first method I tried was to use parameters like:

MySqlCommand command = new MySqlCommand("SELECT FROM @table");
command.Parameters.AddWithValue("@table", table_name);

However this caused an error, I presume this is because you can't use parameters for things like table names and column names. The second way to solve this I had wad to just add the name of the table to the string:

string tableName = "table_name";
MySqlCommand command = new MySqlCommand("SELECT FROM " + tableName.ToString());

However as far as I'm aware this is very susceptible to attacks like SQL Injection. So my question is what is the best/safest way of accessing tables where the table name is a variable.

Any help is greatly appreciated, thanks in advance

Improve this question
3
Related questions
1
How to execute LINQ query when I have the table`s name stored in a variable
3
How can i select from table where tablename is specified as SqlParameter?
62
How to select from MySQL where Table name is Variable
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.