-1

I have query with sql parameters. My parameter must be my table from database and I don't now how I can realize this.

I did it so:

myCommand = myConnection.CreateCommand()
myCommand.CommandType = CommandType.Text
myCommand.CommandText =
"SELECT Id, Bez, Param5, Info from Table" & "@idFixed"
myCommand.Parameters.Add("@idFixed", SqlDbType.VarChar).Value = strIdFixed

strIdFixed(transmitted parameter) must be something id, because I have many tables with names Table01, Table02, Table333 ....

Emma W.
  • 215
  • 1
  • 6
  • 20
  • You usually cannot specify the table name as a parameter in a prepared statement, because allowing this would be a security risk and would defeat the point of the statement. If you need to query a certain table in a safe way, then create a prepared statement for that specific table. – Tim Biegeleisen Sep 15 '17 at 11:54
  • @TimBiegeleisen How can I do this? – Emma W. Sep 15 '17 at 11:55

1 Answers1

1

I have it

Dim tableName As String = "Test" + strIdFixed.ToString.Trim
Dim builder = New SqlCommandBuilder()
Dim escapedTableName As String = builder.QuoteIdentifier(tableName)

myCommand = myConnection.CreateCommand()
myCommand.CommandType = CommandType.Text
myCommand.CommandText =
"SELECT Id, Bez, Param5, Info from " + escapedTableName

Thank https://stackoverflow.com/a/17948039/6787667

Emma W.
  • 215
  • 1
  • 6
  • 20