Click here to Skip to main content
15,880,543 members
Search within:


How do we insert a form data into mysql database table using variable value ?
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
C#
MySQL
database
 
Hello,

I want to use an assigned variable name as a "Tablename" for MySql Database. How to do ? Plz help...

For example : MySqlCommand cmd = new MySqlCommand(@"INSERT INTO ' + tablename + ' 

I tried this but it is giving me an error. 
Error : "Please check mysql manual for the correct syntax near ' + tablename + '...


What I have tried:

I tried the following code :

string tablename = "MyStore";

MySqlCommand cmd = new MySqlCommand(@"INSERT INTO ' + tablename + '
(Column1, Column2, Column3, Column4, Column5)
VALUES(@a, @b, @c, @d, @e)", con);
Posted
Updated 16-Nov-22 18:55pm
Add a Solution

1 solution

Try this:
C#
string tablename = "MyStore";

MySqlCommand cmd = new MySqlCommand("INSERT INTO " + tablename + 
                                    "(Column1, Column2, Column3, Column4, Column5)" + 
                                    "VALUES(@a, @b, @c, @d, @e)", con);


But ... be aware that its generally a very poor idea as it leaves you open to SQL Injection if the user has access to the variable content. You should never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
Which SQL sees as three separate commands:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
SQL
DROP TABLE MyTable;
A perfectly valid "delete the table" command
SQL
--'
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?
 
Share this answer
 
Posted
Updated 16-Nov-22 18:57pm
v2
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
Insert Data to database form textfield using java
How do I insert data retrieved from a mysql database back into another table.
How do I insert data into 2 tables using PHP and mysql ?
How do I insert all fields displayed on a table into mysql database table
Insert is not working in mysql 8.0
ERROR 500 when trying to insert excel data to mysql using PHP
How to insert data in a mysql database using a html form
How do I spilt a string into two variables to insert it in mysql
How to insert <p> tag attribute value in mysql table
Insert data from a PHP dropdown menu into a Mysql database table

Advertise
Privacy
Cookies
Terms of Use
Last Updated 17 Nov 2022
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web01 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900