Informix parameterized odbc query doesn't work

Asked Oct 04 '16 at 04:53

Active Oct 04 '16 at 04:59

Viewed 81 times

Parameterized query is not working as expected. When executing Informix ODBC command in c#:

OdbcCommand oc = Connection.CreateCommand();
oc.CommandText = "SELECT COUNT(*) AS CNT, MAX(someattr) AS attr1 FROM ?";
oc.Parameters.Add(new OdbcParameter() { Value = table.Name, OdbcType = OdbcType.Char });
try
{
    OdbcDataReader or = oc.ExecuteReader(); //here the exception occurs
    ....

Exception occurs: ERROR [42000] [Informix][Informix ODBC Driver][Informix]A syntax error has occurred.

But the following code works without exception

OdbcCommand oc = Connection.CreateCommand();
oc.CommandText = String.Format("SELECT COUNT(*) AS CNT, MAX(someattr) AS attr1 FROM {0}", table.Name);
try
{
    OdbcDataReader or = oc.ExecuteReader();
    ...

What might be the problem with parameterized query? :/

edited Oct 04 '16 at 04:59

asked Oct 04 '16 at 04:53

Developer Marius Žilėnas

5,813
1
41
70

1

Parameters not work for table or column names – Fabio Oct 04 '16 at 05:07
@Fabio Thank you. Additional question then. How to prevent SQL injection then if parameters are not supported for table or column names? – Developer Marius Žilėnas Oct 04 '16 at 05:16
1

In duplicate question somewhere was very good suggestion: load all table names you going to use for your query from database and check if given table name is in loaded list. – Fabio Oct 04 '16 at 05:33

Informix parameterized odbc query doesn't work

0 Answers0