0

I'm working on an application, reading tables in an MS-SQL database. Normally this way of working is fine:

sqlCommand.CommentText = $"SELECT {Col_Name} FROM {variable}";
sqlReader = sqlCommand.ExecuteReader();
while (sqlDataReader.Read())
{
    <retrieve> sqlDataReader.GetString(0); // this takes the value of Col_Name
}

Now, however, I'm using a SELECT DISTINCT query, and the whole thing goes wrong:

for (int i = 0; i< dt_main.Columns.Count - 1; i++) // dt_main is a DataTable, containing the columns.
                                                   // This is checked and working fine.
{
    string col_Name = dt_main.Columns[i].Caption; // This seems to be correct too.
    sqlCommand.CommandText = $"SELECT DISTINCT @col FROM {cmb_Table_Names.SelectedItem}"; 
                                   // cmb_Table_Names.SelectedItem contains the table name -> Ok.
    sqlCommand.Parameters.Clear(); // In the program, I'm always using the same 
                                   // sqlCommand object, so the parameters need to be cleared first.
    sqlCommand.Parameters.AddWithValue("col", col_Name);
    sqlDataReader = sqlCommand.ExecuteReader();
    string value_in_table = "";
    while (sqlDataReader.Read())
    { 
        value_in_table = sqlDataReader.GetString(0); // try read the distinct values.
                                                     // NOK: the column name is read instead.
    }
    sqlDataReader.Close();
}

As you can see from the comments, going wrong (NOK) means that not the values inside the columns are set in value_in_table, but the name of the column.
Remark: I have tried the SELECT DISTINCT query in MS-SQL management studio and it's working correctly.
Remark 2: I have also performed the desperate experiment value_in_table = sqlDataReader.GetString(1);, which, obviously, failed miserably :-)

As I'm new at SqlCommand and the corresponding SqlDataReader and yesterday I've been stuck on a completely unforeseeable issue, I fear I'm falling into some weird trap again.

Does anybody know what I need to do in order to read the values, not the column names?

Thanks in advance

Improve this question
5
  • 5
    you cant pass columns or table names as parameter ... Commented Aug 19, 2021 at 12:08
  • @Selvin. You are right. I have replaced my SQL command line by $"SELECT DISTINCT {col_Name} FROM {cmb_Table_Names.SelectedItem}";, and now it's working fine. Please write this as an answer, I'll accept it. Commented Aug 19, 2021 at 12:12
  • Normally this way of working is fine: I am very surprised that works, given you are passing a column name as a parameter. You verified that works? Commented Aug 19, 2021 at 12:38
  • @mjwills: You're right, I've adapted my question accordingly. Commented Aug 19, 2021 at 12:58
  • Don't use addwithvalue Commented Aug 19, 2021 at 13:27

1 Answer 1

Reset to default
0

you can't use column name as a command parameter, make everythig an sql string

sqlCommand.CommandText = $"SELECT DISTINCT {col_name} FROM {cmb_Table_Names.SelectedItem}";

I am sure PO knows about the sql injections.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.