Hello,
I understand the danger of Little Bobby Tables, but I was wondering if its possible to concatenate an SQL statement.
I know - most of you have already deemed me an idiot, but here's the scenario :
1. Form Loads, grabs all of the table names from the database, adds them to a combobox collection.
2. Based on the selected item, information is displayed about that table in a series of datagridviews in a tabcontrol.
Since there is no user input (only what is already in the collection of table names) I can't see any danger of using variables/form control data instead of parameters.
Here is what I'm trying to accomplish :
I get an invalid object error, referencing "[dbo." (I believe it is cutting off the string there, instead of concatenating it.)
Here is my full code :
This is also something only a handful of people will be using, all of them domain administrators with access to the database itself; they could all do a whole hell of a lot more damage if they wanted.
Any help is appreciated.
Thanks,
Diatech
I understand the danger of Little Bobby Tables, but I was wondering if its possible to concatenate an SQL statement.
I know - most of you have already deemed me an idiot, but here's the scenario :
1. Form Loads, grabs all of the table names from the database, adds them to a combobox collection.
2. Based on the selected item, information is displayed about that table in a series of datagridviews in a tabcontrol.
Since there is no user input (only what is already in the collection of table names) I can't see any danger of using variables/form control data instead of parameters.
Here is what I'm trying to accomplish :
Code:
Dim queryString1 As String = "SELECT * FROM [dbo." & TableNameCB.SelectedText & "] WHERE [In Stock] = 'true' & Deleted = 'false'"Here is my full code :
Code:
Dim connstring As String = "Server=COMPUTERNAME\SQLSSRSServer;Database=Assets;Trusted_Connection=Yes;"
Dim connection As New SqlConnection(connstring)
connection.Open()
'Fill the datagribviews with data from the database
'---------------DataGridview1---------------------------
'configure sql statement and open connection/execute statement using dataadpater
Dim queryString1 As String = "SELECT * FROM [dbo." & TableNameCB.SelectedText & "] WHERE [In Stock] = 'true' & Deleted = 'false'"
Dim DA1 As SqlDataAdapter = New SqlDataAdapter(queryString1, connection)
'create a dataset object to store the data returned from the database in memory
Dim current_stock As DataSet = New DataSet
'use dataadapter to store data in dataset object
DA1.Fill(current_stock, "CurrentStock")
DataGridView1.DataSource = current_stock.Tables("CurrentStock")
connection.close()This is also something only a handful of people will be using, all of them domain administrators with access to the database itself; they could all do a whole hell of a lot more damage if they wanted.
Any help is appreciated.
Thanks,
Diatech