By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
446,218 Members | 1,111 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 446,218 IT Pros & Developers. It's quick & easy.

C# use string variable in string

P: n/a
Hi,

I'm trying to use my variable in another variable. How can I achieve
that?

I can use + (concat) but it will be a lot me to concatenate.

I have to use 3 variables with 15 replacement.

Ex:
C# Code:

string table = "TABLE_AD";
string name = "BOB";
//???
string abc = (@"SELECT EMAIL
FROM {0}
WHERE IDSID='{1}';",table,name);

My final abc variable will be
SELECT EMAIL FROM TABLE_AD WHERE IDSID='BOB'";

In perl is super easy:
$table = "TABLE_AD";
$name = "BOB";
$abc = "SELECT EMAIL FROM $table WHERE IDSID='$name';";
Oct 2 '08 #1
Share this Question
Share on Google+
9 Replies


P: n/a
On Wed, 01 Oct 2008 17:55:35 -0700, Slickuser <sl*********@gmail.com>
wrote:
I'm trying to use my variable in another variable. How can I achieve
that?

I can use + (concat) but it will be a lot me to concatenate.
What does "it will be a lot me to concatenate" mean? Are you concerned
there's a performance cost? If so, then I think your concern is
unwarranted in this particular example.
I have to use 3 variables with 15 replacement.

Ex:
C# Code:

string table = "TABLE_AD";
string name = "BOB";
//???
string abc = (@"SELECT EMAIL
FROM {0}
WHERE IDSID='{1}';",table,name);

My final abc variable will be
SELECT EMAIL FROM TABLE_AD WHERE IDSID='BOB'";
You could use the String.Format() method. And in many situations, it's a
great way to accomplish what you're asking. However, your example is
specifically inserting data into a SQL command string, which is generally
considered a bad idea, due to the security vulnerabilities it can
introduce (Google "SQL injection").

If you have absolute, complete control over the inserted data, maybe you
can get away with that. Otherwise, you should definitely use a
parameterized query instead.

Pete
Oct 2 '08 #2

P: n/a
string abc = string.Format ( "SELECT EMAIL FROM {0} WHERE IDSID='{1}';" ,
table , name );
"Slickuser" <sl*********@gmail.comwrote in message
news:38**********************************@y21g2000 hsf.googlegroups.com...
Hi,

I'm trying to use my variable in another variable. How can I achieve
that?

I can use + (concat) but it will be a lot me to concatenate.

I have to use 3 variables with 15 replacement.

Ex:
C# Code:

string table = "TABLE_AD";
string name = "BOB";
//???
string abc = (@"SELECT EMAIL
FROM {0}
WHERE IDSID='{1}';",table,name);

My final abc variable will be
SELECT EMAIL FROM TABLE_AD WHERE IDSID='BOB'";

In perl is super easy:
$table = "TABLE_AD";
$name = "BOB";
$abc = "SELECT EMAIL FROM $table WHERE IDSID='$name';";

Oct 2 '08 #3

P: n/a
Peter Duniho wrote:
>Otherwise, you should definitely use a parameterized query instead.
X 2
Oct 2 '08 #4

P: n/a
On Oct 1, 6:00*pm, "Peter Duniho" <NpOeStPe...@nnowslpianmk.com>
wrote:
On Wed, 01 Oct 2008 17:55:35 -0700, Slickuser <slick.us...@gmail.com*
wrote:
I'm trying to use my variable in another variable. How can I achieve
that?
I can use + (concat) but it will be a lot me to concatenate.

What does "it will be a lot me to concatenate" mean? *Are you concerned*
there's a performance cost? *If so, then I think your concern is *
unwarranted in this particular example.
I have to use 3 variables with 15 replacement.
Ex:
C# Code:
string table = "TABLE_AD";
string name = "BOB";
//???
string abc = (@"SELECT EMAIL
FROM {0}
WHERE IDSID='{1}';",table,name);
My final abc variable will be
SELECT EMAIL FROM TABLE_AD WHERE IDSID='BOB'";

You could use the String.Format() method. *And in many situations, it'sa *
great way to accomplish what you're asking. *However, your example is *
specifically inserting data into a SQL command string, which is generally*
considered a bad idea, due to the security vulnerabilities it can *
introduce (Google "SQL injection").
I looked at SQL injection:

using (SqlCommand myCommand = new SqlCommand("select * from Users
where UserName=@username and Password=@password", myConnection))
{
myCommand.Parameters.AddWithValue("@username",
user);
myCommand.Parameters.AddWithValue("@password",
pass);

myConnection.Open();
SqlDataReader myReader =
myCommand.ExecuteReader())
...................
}
This work great.

What if I have my table name to be different time I call this
function?
string abc = @"SELECT EMAIL
FROM @TABLE_NAME
WHERE IDSID=@user";

using (SqlCommand myCommand = new SqlCommand(abc, myConnection))
{
myCommand.Parameters.AddWithValue("@user", userName);
myCommand.Parameters.AddWithValue("@TABLE_NAME", tableName);

}
This doesn't get my get database to query because @TABLE_NAME doesn't
pass in.
>
If you have absolute, complete control over the inserted data, maybe you *
can get away with that. *Otherwise, you should definitely use a *
parameterized query instead.

Pete
Oct 2 '08 #5

P: n/a
On 2 Oct, 02:47, Slickuser <slick.us...@gmail.comwrote:
On Oct 1, 6:00*pm, "Peter Duniho" <NpOeStPe...@nnowslpianmk.com>
wrote:


On Wed, 01 Oct 2008 17:55:35 -0700, Slickuser <slick.us...@gmail.com*
wrote:
I'm trying to use my variable in another variable. How can I achieve
that?
I can use + (concat) but it will be a lot me to concatenate.
What does "it will be a lot me to concatenate" mean? *Are you concerned *
there's a performance cost? *If so, then I think your concern is *
unwarranted in this particular example.
I have to use 3 variables with 15 replacement.
Ex:
C# Code:
string table = "TABLE_AD";
string name = "BOB";
//???
string abc = (@"SELECT EMAIL
FROM {0}
WHERE IDSID='{1}';",table,name);
My final abc variable will be
SELECT EMAIL FROM TABLE_AD WHERE IDSID='BOB'";
You could use the String.Format() method. *And in many situations, it's a *
great way to accomplish what you're asking. *However, your example is*
specifically inserting data into a SQL command string, which is generally *
considered a bad idea, due to the security vulnerabilities it can *
introduce (Google "SQL injection").

I looked at SQL injection:

using (SqlCommand myCommand = new SqlCommand("select * from Users
where UserName=@username and Password=@password", myConnection))
* * * * * * * * {
* * * * * * * * * * myCommand.Parameters.AddWithValue("@username",
user);
* * * * * * * * * * myCommand.Parameters.AddWithValue("@password",
pass);

* * * * * * * * * * myConnection.Open();
* * * * * * * * * * SqlDataReader myReader =
myCommand.ExecuteReader())
* * * * * * * * * * ...................
* * * * * * * * }
This work great.

What if I have my table name to be different time I call this
function?
string abc = @"SELECT EMAIL
FROM @TABLE_NAME
WHERE IDSID=@user";

using (SqlCommand myCommand = new SqlCommand(abc, myConnection))
* * * * * * * * {
myCommand.Parameters.AddWithValue("@user", userName);
myCommand.Parameters.AddWithValue("@TABLE_NAME", tableName);

}

This doesn't get my get database to query because @TABLE_NAME doesn't
pass in.


If you have absolute, complete control over the inserted data, maybe you *
can get away with that. *Otherwise, you should definitely use a *
parameterized query instead.
Pete- Hide quoted text -

- Show quoted text -- Hide quoted text -

- Show quoted text -
Use EXEC in your stored Procedure

ALTER PROCEDURE GetEmail
@TABLE_NAME varchar(100),
@user varchar(30)
AS
EXEC('SELECT EMAIL FROM [' + @TABLE_NAME + '] WHERE IDSID = ''' +
@user + '''')
Oct 2 '08 #6

P: n/a
On Oct 2, 8:57*am, "JTC^..^" <d...@jazzthecat.co.ukwrote:

<snip>
Use EXEC in your stored Procedure
That just moves SQL injection into the stored proc.

I would recommend using query parameterisation for everything
possible, and then having really, really tight checking where you
can't (e.g. table names) and try to avoid getting into that situation
in the first place.

Jon
Oct 2 '08 #7

P: n/a
Slickuser wrote:
What if I have my table name to be different time I call this
function?
string abc = @"SELECT EMAIL
FROM @TABLE_NAME
WHERE IDSID=@user";

using (SqlCommand myCommand = new SqlCommand(abc, myConnection))
{
myCommand.Parameters.AddWithValue("@user", userName);
myCommand.Parameters.AddWithValue("@TABLE_NAME", tableName);

}
This doesn't get my get database to query because @TABLE_NAME doesn't
pass in.
If you need to dynamically set the table name, that suggests that the
database design is wrong. Data should be stored as data in the tables,
not as table names or field names.

Put the data in a single table, and put whatever it is that you now have
as table name into a column in the table.

--
Göran Andersson
_____
http://www.guffa.com
Oct 2 '08 #8

P: n/a
That just moves SQL injection into the stored proc.

Just for completeness, you could avoid the EXEC injection risk using
(parameterised) sp_ExecuteSQL (to avoid concatenating user data), and
white-listing the table name (the only bit that gets concatenated). But
I'd have to agree that avoiding this in the first place if possible is
desirable; in this example there isn't a lot to choose between a
parameterised SqlCommand and parameterised TSQL (via sp_ExecuteSQL) in
an SP, so I'd go for the simplest, which probably means the first.

Marc
Oct 2 '08 #9

P: n/a
"Göran Andersson" <gu***@guffa.comwrote in message
news:%2****************@TK2MSFTNGP02.phx.gbl...
If you need to dynamically set the table name, that suggests that the
database design is wrong. Data should be stored as data in the tables, not
as table names or field names.

Put the data in a single table, and put whatever it is that you now have
as table name into a column in the table.
That's a beautiful theory, and, in theory, I agree with it 100%.
Unfortunately, I have to work in the real world, not the theory world, and
it has been my experience that sometimes you really need multiple tables,
and sometimes you need to loop over those tables. So while table name
substitution shouldn't be the first choice, it's nearsighted to say that its
usage automatically indicates bad design.
Oct 2 '08 #10

This discussion thread is closed

Replies have been disabled for this discussion.