Styjun

Greek theta instead of lower case þ (Icelandic) in TexStudio

Will this series of events work to drown the Tarrasque?

Can a problematic AL DM/organizer prevent me from running a separate AL-legal game at the same store?

Reference for electronegativities of different metal oxidation states

Why favour the standard WP loop over iterating over (new WP_Query())->get_posts()?

Addressing an email

Can the word crowd refer to just 10 people?

Germany rejected my entry to Schengen countries

Is the free group on two generators generated by two elements?

Vehemently against code formatting

Running server on home network with HTTPS

Why should one apply for UK visa before other visas, on a multi-destination European holiday?

Why would Thor need to strike a building with lightning to attack enemies?

How to fix "webpack Dev Server Invalid Options" in Vuejs

In how many ways can we partition a set into smaller subsets so the sum of the numbers in each subset is equal?

Is being an extrovert a necessary condition to be a manager?

Could a chemically propelled craft travel directly between Earth and Mars spaceports?

FIFO data structure in pure C

Does the Aboleth have expertise in history and perception?

Chain rule instead of product rule

Was murdering a slave illegal in American slavery, and if so, what punishments were given for it?

How was the blinking terminal cursor invented?

How to convince boss to spend notice period on documentation instead of new projects

Is presenting a play showing Military charactes in a bad light a crime in the US?

how to select data from table if table names are in Combo box

Why do we always prefer using parameters in SQL statements?How do I update the GUI from another thread?MetadataException: Unable to load the specified metadata resourceCombo Box selected value validatingHow to validate combo box values in c#When combo box data selected, fill out textbox with data from DatabaseHow to dinamically change Combo box display memberHow can i populate a combo box with data from an access database and use it to filter a datagrid?Fill combo box from access table c#Values from database based on two combo boxes into text boxBind to Combo box based on Data Gridview selection

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

0

I was working on VB.NET and am now switching to C#. I was using the following code to use table as variable from combo box to fill a DataGrid:

Dim strTAB as a String

dtTAB1 = New DataTable 
strTAB = cboDTA_TBL.Text 

adpPRJ = New SqlDataAdapter("Select * from """ & strTAB & """", conPRJ_NET)

'conPRJ_NET is connection to connect MsSQL Database on server.

adpPRJ.Fill(dtTAB1)

dgFIN_TAB.DataSource = dtTAB1 

I am looking for the C# equivalent of """ & strTAB & """.

This code works perfectly in vb.net, no errors.

Can anyone help?

c# .net vb.net

share|improve this question

edited Mar 22 at 11:17

ADyson

26.8k112846

asked Mar 22 at 11:13

WamanInaWamanIna

11

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  so are you looking for a concatenation operator in c#? It is + but sometimes you might have to convert to string, first. I would suggest renaming the title.
  
  – Dr Phil
  Mar 22 at 11:15
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  This code is a SQL injection disaster waiting to happen.
  
  – ADyson
  Mar 22 at 11:19
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I have already tried with changing & to + in C#. But its not working.
  
  – WamanIna
  Mar 22 at 11:19
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Anyway the answer to your question can be found here, I expect: docs.microsoft.com/en-us/dotnet/csharp/how-to/… . Did you even try to google this? It's a pretty basic language concept. It's not quite as simple as just replacing & with +, you've got the escaping of the quote marks to contend with as well. But if you fixed your SQL injection vulnerability you wouldn't have to deal with that. I worry that you appear to be letting the user control almost the entire SQL statement being executed. That is a serious hole in your code.
  
  – ADyson
  Mar 22 at 11:20
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  (N.B. Note that if you're trying to vary the table name being selected, then parameterisation can't actually help you, because you can't parameterise a table name, only a variable/field value. Instead you need to whitelist the table names allowed, to stop users executing arbitrary SQL against your database).
  
  – ADyson
  Mar 22 at 11:22
  

  
  
  
  

 | 
show 3 more comments

0

I was working on VB.NET and am now switching to C#. I was using the following code to use table as variable from combo box to fill a DataGrid:

Dim strTAB as a String

dtTAB1 = New DataTable 
strTAB = cboDTA_TBL.Text 

adpPRJ = New SqlDataAdapter("Select * from """ & strTAB & """", conPRJ_NET)

'conPRJ_NET is connection to connect MsSQL Database on server.

adpPRJ.Fill(dtTAB1)

dgFIN_TAB.DataSource = dtTAB1 

I am looking for the C# equivalent of """ & strTAB & """.

This code works perfectly in vb.net, no errors.

Can anyone help?

c# .net vb.net

share|improve this question

edited Mar 22 at 11:17

ADyson

26.8k112846

asked Mar 22 at 11:13

WamanInaWamanIna

11

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  so are you looking for a concatenation operator in c#? It is + but sometimes you might have to convert to string, first. I would suggest renaming the title.
  
  – Dr Phil
  Mar 22 at 11:15
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  This code is a SQL injection disaster waiting to happen.
  
  – ADyson
  Mar 22 at 11:19
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I have already tried with changing & to + in C#. But its not working.
  
  – WamanIna
  Mar 22 at 11:19
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Anyway the answer to your question can be found here, I expect: docs.microsoft.com/en-us/dotnet/csharp/how-to/… . Did you even try to google this? It's a pretty basic language concept. It's not quite as simple as just replacing & with +, you've got the escaping of the quote marks to contend with as well. But if you fixed your SQL injection vulnerability you wouldn't have to deal with that. I worry that you appear to be letting the user control almost the entire SQL statement being executed. That is a serious hole in your code.
  
  – ADyson
  Mar 22 at 11:20
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  (N.B. Note that if you're trying to vary the table name being selected, then parameterisation can't actually help you, because you can't parameterise a table name, only a variable/field value. Instead you need to whitelist the table names allowed, to stop users executing arbitrary SQL against your database).
  
  – ADyson
  Mar 22 at 11:22
  

  
  
  
  

 | 
show 3 more comments

I was working on VB.NET and am now switching to C#. I was using the following code to use table as variable from combo box to fill a DataGrid:

Dim strTAB as a String

dtTAB1 = New DataTable 
strTAB = cboDTA_TBL.Text 

adpPRJ = New SqlDataAdapter("Select * from """ & strTAB & """", conPRJ_NET)

'conPRJ_NET is connection to connect MsSQL Database on server.

adpPRJ.Fill(dtTAB1)

dgFIN_TAB.DataSource = dtTAB1 

I am looking for the C# equivalent of """ & strTAB & """.

This code works perfectly in vb.net, no errors.

Can anyone help?

c# .net vb.net

share|improve this question

edited Mar 22 at 11:17

ADyson

26.8k112846

asked Mar 22 at 11:13

WamanInaWamanIna

11

Dim strTAB as a String

dtTAB1 = New DataTable 
strTAB = cboDTA_TBL.Text 

adpPRJ = New SqlDataAdapter("Select * from """ & strTAB & """", conPRJ_NET)

'conPRJ_NET is connection to connect MsSQL Database on server.

adpPRJ.Fill(dtTAB1)

dgFIN_TAB.DataSource = dtTAB1 

share|improve this question

edited Mar 22 at 11:17

ADyson

26.8k112846

asked Mar 22 at 11:13

WamanInaWamanIna

11

share|improve this question

edited Mar 22 at 11:17

ADyson

26.8k112846

asked Mar 22 at 11:13

WamanInaWamanIna

11

edited Mar 22 at 11:17

ADyson

26.8k112846

edited Mar 22 at 11:17

ADyson

26.8k112846

asked Mar 22 at 11:13

WamanInaWamanIna

11

asked Mar 22 at 11:13

WamanInaWamanIna

11

3 Answers
3

active

oldest

votes

1

As mentioned, this is a bad design, due to SQL Injection, but here's your answer :

var strTAB = "tableName";
string myString = $"Select * from strTAB";

share|improve this answer

answered Mar 22 at 11:32

WynDieselWynDiesel

494220

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks for your suggestion. its working fine
  
  – WamanIna
  Mar 22 at 11:50
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @WamanIna. Glad to hear it! Can you please check this as the answer?
  
  – WynDiesel
  Mar 22 at 11:51
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  There is one more option which is working now : string myString = "Select * from " + strTAB;
  
  – WamanIna
  Mar 22 at 11:52
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  You said : Bad Design. Any suggestion to do the same in better way ... please..
  
  – WamanIna
  Mar 22 at 11:53
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Concatenating with a "+" would also work, yes,but is generally frowned upon, and not as easy to read as string interpolation (the value syntax I used)
  
  – WynDiesel
  Mar 22 at 11:54
  
  

  
  
  
  

 | 
show 4 more comments

0

Although, normally you would never concatenate strings to build an Sql statement, you do not need to be concerned about Sql Injection if your combo box DropDownStyle is set to DropDownList. This is essentially "limit to list" but it is NOT the default setting.

The using statements ensure that your database objects are closed and disposed.

I not sure what the the double quotes around the table name are supposed to do but in Sql Server the identifier delimiters are square brackets. ( [ ] )

 private void button1_Click(object sender, EventArgs e)
 
 string query = "Select * From [" + cboDTA_TBL.Text + "];";
 DataTable dtTAB1 = new DataTable();
 using (SqlConnection conPRJ_NET = new SqlConnection("Your connection string"))
 
 using (SqlDataAdapter adpPRJ = new SqlDataAdapter(query, conPRJ_NET))
 
 adpPRJ.Fill(dtTAB1);
 
 
 dgFIN_TAB.DataSource = dtTAB1;
 

share|improve this answer

answered Mar 23 at 18:37

MaryMary

4,5262921

add a comment | 

-2

I use a MySQL command like this:

string db_name= "test";
string db_table = "table";
command.CommandText = "SELECT * FROM " + db_name+ "." + db_table + " WHERE ID = "ID";";
// sometimes you need the: ' around the string-variables
command.CommandText = "SELECT * FROM '" + db_name+ "." + db_table + "' WHERE ID = "ID";";

share|improve this answer

answered Mar 22 at 11:32

zeitgeist02zeitgeist02

11

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  and how is MySQL relevant to a SQL Server question? I agree you've shown the string concatenation syntax for C#, so maybe focus on that (and use the OP's code, not some random bit of yours) in your description instead. Make your answer relevant, not a generic copy and paste example
  
  – ADyson
  Mar 22 at 11:42
  
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55298416%2fhow-to-select-data-from-table-if-table-names-are-in-combo-box%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

1

As mentioned, this is a bad design, due to SQL Injection, but here's your answer :

var strTAB = "tableName";
string myString = $"Select * from strTAB";

share|improve this answer

answered Mar 22 at 11:32

WynDieselWynDiesel

494220

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks for your suggestion. its working fine
  
  – WamanIna
  Mar 22 at 11:50
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @WamanIna. Glad to hear it! Can you please check this as the answer?
  
  – WynDiesel
  Mar 22 at 11:51
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  There is one more option which is working now : string myString = "Select * from " + strTAB;
  
  – WamanIna
  Mar 22 at 11:52
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  You said : Bad Design. Any suggestion to do the same in better way ... please..
  
  – WamanIna
  Mar 22 at 11:53
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Concatenating with a "+" would also work, yes,but is generally frowned upon, and not as easy to read as string interpolation (the value syntax I used)
  
  – WynDiesel
  Mar 22 at 11:54
  
  

  
  
  
  

 | 
show 4 more comments

1

As mentioned, this is a bad design, due to SQL Injection, but here's your answer :

var strTAB = "tableName";
string myString = $"Select * from strTAB";

share|improve this answer

answered Mar 22 at 11:32

WynDieselWynDiesel

494220

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks for your suggestion. its working fine
  
  – WamanIna
  Mar 22 at 11:50
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @WamanIna. Glad to hear it! Can you please check this as the answer?
  
  – WynDiesel
  Mar 22 at 11:51
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  There is one more option which is working now : string myString = "Select * from " + strTAB;
  
  – WamanIna
  Mar 22 at 11:52
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  You said : Bad Design. Any suggestion to do the same in better way ... please..
  
  – WamanIna
  Mar 22 at 11:53
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Concatenating with a "+" would also work, yes,but is generally frowned upon, and not as easy to read as string interpolation (the value syntax I used)
  
  – WynDiesel
  Mar 22 at 11:54
  
  

  
  
  
  

 | 
show 4 more comments

As mentioned, this is a bad design, due to SQL Injection, but here's your answer :

var strTAB = "tableName";
string myString = $"Select * from strTAB";

share|improve this answer

answered Mar 22 at 11:32

WynDieselWynDiesel

494220

var strTAB = "tableName";
string myString = $"Select * from strTAB";

share|improve this answer

answered Mar 22 at 11:32

WynDieselWynDiesel

494220

answered Mar 22 at 11:32

WynDieselWynDiesel

494220

answered Mar 22 at 11:32

WynDieselWynDiesel

494220

0

Although, normally you would never concatenate strings to build an Sql statement, you do not need to be concerned about Sql Injection if your combo box DropDownStyle is set to DropDownList. This is essentially "limit to list" but it is NOT the default setting.

The using statements ensure that your database objects are closed and disposed.

I not sure what the the double quotes around the table name are supposed to do but in Sql Server the identifier delimiters are square brackets. ( [ ] )

 private void button1_Click(object sender, EventArgs e)
 
 string query = "Select * From [" + cboDTA_TBL.Text + "];";
 DataTable dtTAB1 = new DataTable();
 using (SqlConnection conPRJ_NET = new SqlConnection("Your connection string"))
 
 using (SqlDataAdapter adpPRJ = new SqlDataAdapter(query, conPRJ_NET))
 
 adpPRJ.Fill(dtTAB1);
 
 
 dgFIN_TAB.DataSource = dtTAB1;
 

share|improve this answer

answered Mar 23 at 18:37

MaryMary

4,5262921

add a comment | 

0

Although, normally you would never concatenate strings to build an Sql statement, you do not need to be concerned about Sql Injection if your combo box DropDownStyle is set to DropDownList. This is essentially "limit to list" but it is NOT the default setting.

The using statements ensure that your database objects are closed and disposed.

I not sure what the the double quotes around the table name are supposed to do but in Sql Server the identifier delimiters are square brackets. ( [ ] )

 private void button1_Click(object sender, EventArgs e)
 
 string query = "Select * From [" + cboDTA_TBL.Text + "];";
 DataTable dtTAB1 = new DataTable();
 using (SqlConnection conPRJ_NET = new SqlConnection("Your connection string"))
 
 using (SqlDataAdapter adpPRJ = new SqlDataAdapter(query, conPRJ_NET))
 
 adpPRJ.Fill(dtTAB1);
 
 
 dgFIN_TAB.DataSource = dtTAB1;
 

share|improve this answer

answered Mar 23 at 18:37

MaryMary

4,5262921

add a comment | 

Although, normally you would never concatenate strings to build an Sql statement, you do not need to be concerned about Sql Injection if your combo box DropDownStyle is set to DropDownList. This is essentially "limit to list" but it is NOT the default setting.

The using statements ensure that your database objects are closed and disposed.

I not sure what the the double quotes around the table name are supposed to do but in Sql Server the identifier delimiters are square brackets. ( [ ] )

 private void button1_Click(object sender, EventArgs e)
 
 string query = "Select * From [" + cboDTA_TBL.Text + "];";
 DataTable dtTAB1 = new DataTable();
 using (SqlConnection conPRJ_NET = new SqlConnection("Your connection string"))
 
 using (SqlDataAdapter adpPRJ = new SqlDataAdapter(query, conPRJ_NET))
 
 adpPRJ.Fill(dtTAB1);
 
 
 dgFIN_TAB.DataSource = dtTAB1;
 

share|improve this answer

answered Mar 23 at 18:37

MaryMary

4,5262921

 private void button1_Click(object sender, EventArgs e)
 
 string query = "Select * From [" + cboDTA_TBL.Text + "];";
 DataTable dtTAB1 = new DataTable();
 using (SqlConnection conPRJ_NET = new SqlConnection("Your connection string"))
 
 using (SqlDataAdapter adpPRJ = new SqlDataAdapter(query, conPRJ_NET))
 
 adpPRJ.Fill(dtTAB1);
 
 
 dgFIN_TAB.DataSource = dtTAB1;
 

share|improve this answer

answered Mar 23 at 18:37

MaryMary

4,5262921

answered Mar 23 at 18:37

MaryMary

4,5262921

answered Mar 23 at 18:37

MaryMary

4,5262921

-2

I use a MySQL command like this:

string db_name= "test";
string db_table = "table";
command.CommandText = "SELECT * FROM " + db_name+ "." + db_table + " WHERE ID = "ID";";
// sometimes you need the: ' around the string-variables
command.CommandText = "SELECT * FROM '" + db_name+ "." + db_table + "' WHERE ID = "ID";";

share|improve this answer

answered Mar 22 at 11:32

zeitgeist02zeitgeist02

11

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  and how is MySQL relevant to a SQL Server question? I agree you've shown the string concatenation syntax for C#, so maybe focus on that (and use the OP's code, not some random bit of yours) in your description instead. Make your answer relevant, not a generic copy and paste example
  
  – ADyson
  Mar 22 at 11:42
  
  

  
  
  
  

add a comment | 

-2

I use a MySQL command like this:

string db_name= "test";
string db_table = "table";
command.CommandText = "SELECT * FROM " + db_name+ "." + db_table + " WHERE ID = "ID";";
// sometimes you need the: ' around the string-variables
command.CommandText = "SELECT * FROM '" + db_name+ "." + db_table + "' WHERE ID = "ID";";

share|improve this answer

answered Mar 22 at 11:32

zeitgeist02zeitgeist02

11

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  and how is MySQL relevant to a SQL Server question? I agree you've shown the string concatenation syntax for C#, so maybe focus on that (and use the OP's code, not some random bit of yours) in your description instead. Make your answer relevant, not a generic copy and paste example
  
  – ADyson
  Mar 22 at 11:42
  
  

  
  
  
  

add a comment | 

I use a MySQL command like this:

string db_name= "test";
string db_table = "table";
command.CommandText = "SELECT * FROM " + db_name+ "." + db_table + " WHERE ID = "ID";";
// sometimes you need the: ' around the string-variables
command.CommandText = "SELECT * FROM '" + db_name+ "." + db_table + "' WHERE ID = "ID";";

share|improve this answer

answered Mar 22 at 11:32

zeitgeist02zeitgeist02

11

string db_name= "test";
string db_table = "table";
command.CommandText = "SELECT * FROM " + db_name+ "." + db_table + " WHERE ID = "ID";";
// sometimes you need the: ' around the string-variables
command.CommandText = "SELECT * FROM '" + db_name+ "." + db_table + "' WHERE ID = "ID";";

share|improve this answer

answered Mar 22 at 11:32

zeitgeist02zeitgeist02

11

answered Mar 22 at 11:32

zeitgeist02zeitgeist02

11

answered Mar 22 at 11:32

zeitgeist02zeitgeist02

11