Click here to Skip to main content
15,609,235 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
I have a table in the database with columns Profile_Name and Profile_Tip.

I have a textbox in my application where I enter the text for the table name. I want to create a table in the database with this name. I want to use Profile_Name values as the column names of the newly created table without causing SQL injection. Kindly help. I am a fresher using the languages. Thank you in advance.
Updated 31-Aug-12 6:41am

Share this answer
If I understood your question correctly you want to have a dynamic table name in a CREATE TABLE command and you're worried about SQL injections (which of course is a good thing!),

If that's the case, one possibility is that you rely on the naming restrictions. For example, you don't allow any escaped characters, semicolons, quotation marks and so on in the table name in the text box. Eliminating all the delimiter characters would help to prevent many of SQL injections.

However, if you're about to create dynamically named tables, I feel that you could solve the requirement in another way. Without knowing anything more about the actual situation I would guess that you could have a single, pre-defined table and add more columns to the table to distinguish the rows.
Share this answer

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900