Combo boxes are dangerous: they allow the user to type what they want, it isn't restricted to just the items in it's list. A drop down list is safer, but still requires care. The reason why is simple; if the user can directly influence what becomes part of an SQL Command, your database is at risk of SQL Injection which can damage or destroy it.
And unfortunately, table names cannot be passed as parameters due to teh order in which the SQL DB engine processes commands.
The search text has exactly the same problem: when you concatenate strings, you cause problems because SQL receives commands like:
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;
Which SQL sees as three separate commands:
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
DROP TABLE MyTable;
A perfectly valid "delete the table" command
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.
So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?
So while it's possible to do what you want, it's not a good idea unless you ensure that only "safe" commands can be entered - which means a collection of valid SQLK table names which are allowed to be used.
Then it's a simple matter: add the table name from a collection, and the search text as a parameter:
string sql = $"SELECT * FROM {validTables[index]} WHERE firstName LIKE '%' + @FN + '%'";
using (SqlCommand cmd = new SqlCommand(sql, con))
{
cmd.Parameters.AddWithValue("@FN", txtIndexSearch.Text);
...
}
Submit an article or tip