C# MySQL Select from table where table name is a variable

Asked Jul 20 '17 at 22:55

Active Jul 20 '17 at 22:55

Viewed 684 times

I have a database with tables that are created by the user, this obviously means that I don't know what the tables are called before so I can't access them like others where I could simply do:

"SELECT FROM table_name"

To solve this the first method I tried was to use parameters like:

MySqlCommand command = new MySqlCommand("SELECT FROM @table");
command.Parameters.AddWithValue("@table", table_name);

However this caused an error, I presume this is because you can't use parameters for things like table names and column names. The second way to solve this I had wad to just add the name of the table to the string:

string tableName = "table_name";
MySqlCommand command = new MySqlCommand("SELECT FROM " + tableName.ToString());

However as far as I'm aware this is very susceptible to attacks like SQL Injection. So my question is what is the best/safest way of accessing tables where the table name is a variable.

Any help is greatly appreciated, thanks in advance

asked Jul 20 '17 at 22:55

Seb Christie

Some of the answers here may help: https://stackoverflow.com/questions/17947736/sqlparameter-does-not-allows-table-name-other-options-without-sql-injection-at – Toastrackenigma Jul 20 '17 at 23:05
soemthing like this https://stackoverflow.com/q/14026823/81053 – Chris Moutray Jul 20 '17 at 23:05
Thanks very much I shall try using a whitelist – Seb Christie Jul 21 '17 at 10:36

C# MySQL Select from table where table name is a variable

0 Answers0