How to insert a variable inside a Select statement

Question

How to insert a variable inside a Select statement

string table = "City"; string query = "Select * from '"+table+"'";

This gives me an error indicating the wrong character next to ".

but

 string query = "Select * from City";

Gives the correct conclusion.

+6

c #

subhro Nov 24 '15 at 5:56

source share

7 answers

Mohit shrivastava · Answer 1 · 2015-11-24T06:08:23+0000

You only that

 string query = "Select * from '"+table+"'";

replaced by

 string query = "Select * from " + table;

Because the query string is not "Select * from City"; While she forms "Select * from 'City'";

and therefore you get an error

Madcow69 · Answer 2 · 2015-11-24T06:54:04+0000

Best practice would be to use string.format

 string table = "City"; string query = string.format("Select * from {0}", table);

Rajeshkdev · Answer 3 · 2015-11-24T06:10:43+0000

You need to form your request as shown below.

 string table = "City"; //You don't need to have single quote... string query = " Select * From " + table;

To use the Where clause, follow these steps:

 //Where clause only needs single quotes, to define the SQL parameter value in between... string query = " Select * From " + table + " Where CityId = '" + cityId + "'";

Hope this helps.,

thepirat000 · Answer 4 · 2015-11-24T07:01:39+0000

Best practice should be to not do this because it is prone to malicious SQL injection.

In any case, if you have control over the table variable, you should do it as @ madcow69 suggested, but I suggest adding delimiters, so you always have a valid delimited identifier (for example, if your table name is “order” or whatever another SQL reserved word).

 string table = "City"; string query = string.format("Select * from [{0}]", table);

But what if table following ?:

 string table = "City]; DROP DATABASE [YourDB";

Abhash upadhyaya · Answer 5 · 2015-11-24T06:08:53+0000

You can make it work as follows:

 string table ="City" string query = "Select * from "+table;

Coder · Answer 6 · 2015-11-24T07:03:13+0000

Hope this helps.,

 string table = "City"; //You don't need to have single quote... string query = " Select * From " + table;

Yoav · Answer 7 · 2015-11-24T07:46:03+0000

If you are using .NET4.6 , you can use the new "compound string formatting" feature introduced with C# 6.0 (read about it here) .
this allows you to write your expression as follows:

 string query = $"Select * from {table}";

However, I would strongly recommend against writing such queries and using sql parameters . this will help you avoid SQL injection attacks.

How to insert a variable inside a Select statement

More articles: