How to create name of data table using textbox

Question

0.00/5 (No votes)

See more:

Can you help me with this sql command

What I have tried:

CON.Open();
     SqlCommand comand =new SqlCommand("CREATE TABLE Dobavljaci +textBox2.Text(ID int,Naziv Char(50),Sjediste Char(50),Adresa Char (50),Ziroracun Char (50),sifra Char(50),JIB Char(50);",CON);

     comand.ExecuteNonQuery();
CON.Close();

and later one how to use

C#

"SELECT","INSERT"

But how to add additional name with textbox2.text
so i want to create table with name" Dobavljaci and textbox.text"

Ok i have different problem now

SqlCommand comand = new SqlCommand("CREATE TABLE Dobavljaci" +textBox.Text+ "(ID int NOT NULL identity(1,1) primary key,Naziv varchar(50),Sjediste varchar(50),Adresa varchar (50),Ziroracun varchar (50),sifra varchar(50),JIB varchar(50),Ulaz money,Izlaz money);", CON);

on this kind of sql command i have problem when i enter two word in textBox he is giving me error incorrect syntax near the second word when i have only one word he is creating the tables

Posted 25-Jun-17 4:49am

Member 13084733

Updated 28-Jun-17 15:04pm

v4

Add a Solution

2 solutions

Solution 2

Quote:
How to create name of data table using textbox

The whole idea look wrong to me, it looks like a wrong solution to another problem.
Can you describe the original problem leading to this solution ?
Will you have the user to type the table name in textbox2.text every time he will want to access it ?

Not a solution to your question, but another problem you have.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]

Posted 25-Jun-17 6:54am

Patrice T

Comments

Member 13084733 25-Jun-17 15:05pm

First i know about SQL injection this is just for question purpose
second i will create several clients in software and i need to create table dobavljaci(suppliers ) with name of that client so later when i add some data i can use specific table of that supplier of course one client will have few tables

Patrice T 25-Jun-17 15:51pm

The usage is to have a single table or set of tables with a field as the client id.

Richard Deeming 26-Jun-17 12:13pm

That's a terrible database design!

Database Normalization Explained in Simple English[^]

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Michael_Davies · Accepted Answer · 2017-06-25T05:53:00

Solution 1

You need a space after the keyword TABLE, currently you have TABLE<whateverisintextbox2> concatenated together.

Posted 25-Jun-17 5:53am

Michael_Davies

Comments

Member 13084733 25-Jun-17 12:13pm

second code works but i need to add additional name or text with textbox.text

Michael_Davies 25-Jun-17 12:19pm

Please explain what you mean, you say it works yet you say you need to add additional name.

There is no space in your SQL between the word TABLE and the contents of textbox2.text, so if textbox2.text had the word "door" in it the resulting SQL would be;

Also you fail to close the opening parenthesis there should be another ) after JIB char(50) and before the ;

CREATE TABLEdoor(ID int,Naziv Char(50),Sjediste Char(50),Adresa Char (50),Ziroracun Char (50),sifra Char(50),JIB Char(50));

Which should fail as TABLEdoor is not an SQL keyword, put a space in to get;

CREATE TABLE door(ID int,Naziv Char(50),Sjediste Char(50),Adresa Char (50),Ziroracun Char (50),sifra Char(50),JIB Char(50));

Which should then work.

Member 13084733 25-Jun-17 15:00pm

Sorry this is main problem i edit the question

Michael_Davies 25-Jun-17 15:08pm

Okay, now you have changed the SQL but the textbox2.text is inside the string and therefore will only be treated as the word textbox2.text and not the contents of the textbox2.text control.

Also note you are still missing the closing parenthesis, I've added it in below.

Here you go;

SqlCommand comand =new SqlCommand("CREATE TABLE Dobavljaci" + textBox2.Text + "(ID int,Naziv Char(50),Sjediste Char(50),Adresa Char (50),Ziroracun Char (50),sifra Char(50),JIB Char(50));",CON);

BEWARE IT IS NOT GOOD TO CONCATENATE A STRING FOR AN SQL COMMAND, YOU ARE VULNERABLE TO SQL INJECTION AS THE USER CAN TYPE ANYTHING AND COULD WREAK HAVOC.

You will also need to verify the string does not contain invalid characters for a table name or it will fail, you will need to use Try..Catch.

Member 13084733 25-Jun-17 15:22pm

Thank you this works and i created
string tec = textBox2.Text;

Member 13084733 28-Jun-17 21:05pm

have a problem again