473,382 Members | 1,302 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > microsoft sql server > questions > query with a table name that has a space...

Join Bytes to post your question to a community of 473,382 software developers and data experts.

query with a table name that has a space...

I have a table name in SQL Server 2000 that has a space in it
ex: aim international

I had trouble just in the query analyzer with this..I had to place the
name in brackets [] for it to work. But now I'm in Visual Studio .Net
2003 and it gives me another problem. I get the table name from a drop
down list selection and send it to a query string. But is gives me this
error:
***************
Line 1: Incorrect syntax near 'AIM international'.
Exception Details: System.Data.SqlClient.SqlException: Line 1:
Incorrect syntax near 'AIM international'.
******************
Here is the string:
****************
Dim sqlStr As String = "SELECT DISTINCT Last_Name FROM '" & PubName &
"' WHERE PostalCode ='" & postalcode & "' And Title='" & title & "'
ORDER BY Last_Name "
**********************

And the variable PubName is the string AIM international .
I tried placing it in brackets like in the query analyzer :
****************
Dim sqlStr As String = "SELECT DISTINCT Last_Name FROM ['" & PubName &
"'] WHERE PostalCode ='" & postalcode & "' And Title='" & title & "'
ORDER BY Last_Name "
*******************

and I get this:
*******************
Invalid object name ''AIIM international''.
Exception Details: System.Data.SqlClient.SqlException: Invalid object
name ''AIIM international''.
*******************

Any idea what I have to do for it to work ??? Can I use table names
with spaces or it's just not a good idea???
Thanks for the help guys!!
JMT

Jul 23 '05 #1
6 20977
Hi,
I have a table name in SQL Server 2000 that has a space in it
ex: aim international

I had trouble just in the query analyzer with this..I had to place the
name in brackets [] for it to work. But now I'm in Visual Studio .Net
2003 and it gives me another problem. I get the table name from a drop
down list selection and send it to a query string. But is gives me this
error:
***************
Line 1: Incorrect syntax near 'AIM international'.
Exception Details: System.Data.SqlClient.SqlException: Line 1:
Incorrect syntax near 'AIM international'.
******************
Here is the string:
****************
Dim sqlStr As String = "SELECT DISTINCT Last_Name FROM '" & PubName &
"' WHERE PostalCode ='" & postalcode & "' And Title='" & title & "'
ORDER BY Last_Name "
**********************

And the variable PubName is the string AIM international .
I tried placing it in brackets like in the query analyzer :
****************
Dim sqlStr As String = "SELECT DISTINCT Last_Name FROM ['" & PubName &
There's an extra single quote there: [' ... & pubname ...
"'] WHERE PostalCode ='" & postalcode & "' And Title='" & title & "'
ORDER BY Last_Name "
*******************

and I get this:
*******************
Invalid object name ''AIIM international''.
Exception Details: System.Data.SqlClient.SqlException: Invalid object
name ''AIIM international''.
*******************

Any idea what I have to do for it to work ??? Can I use table names
with spaces or it's just not a good idea???


Well, it's not an good idea either :-)
--
With regards,

Martijn Tonies
Database Workbench - tool for InterBase, Firebird, MySQL, Oracle & MS SQL
Server
Upscene Productions
http://www.upscene.com
Jul 23 '05 #2
Well thanks alot Martijn,

Thoses extra quotes really made a difference. Now it all works!!
here's the new string:
Dim sqlStr As String = "SELECT DISTINCT Last_Name FROM [" & PubName &
"] WHERE PostalCode ='" & postalcode & "' And Title='" & title & "'
ORDER BY Last_Name "

Beautiful!! I love it when things end up working!!
Thanks again!
JMT

Jul 23 '05 #3
vbnetrookie (bi****@hotmail.com) writes:
Well thanks alot Martijn,

Thoses extra quotes really made a difference. Now it all works!!
here's the new string:
Dim sqlStr As String = "SELECT DISTINCT Last_Name FROM [" & PubName &
"] WHERE PostalCode ='" & postalcode & "' And Title='" & title & "'
ORDER BY Last_Name "


And now for title enter the following string:

' DROP TABLE [AIM International] --

As a safety precaution, make sure that you have a backup of your database
available.

--
Erland Sommarskog, SQL Server MVP, es****@sommarskog.se

Books Online for SQL Server SP3 at
http://www.microsoft.com/sql/techinf...2000/books.asp
Jul 23 '05 #4
I'm not sure what you mean :
enter the following string for title ???
WHat will this do and why add that line if it all works now???
I'm alaways willing to learn new stuff so i'm all ears!!
JMT

Jul 23 '05 #5
vbnetrookie (bi****@hotmail.com) writes:
I'm not sure what you mean :
enter the following string for title ???
WHat will this do and why add that line if it all works now???
I'm alaways willing to learn new stuff so i'm all ears!!


Presumably title comes from an input field. And it is into this input
field you should enter this string and learn what happens. You may
think you are searching for some data, but in fact you will blow away
your table.

This is something which is called "SQL injection". By entering SQL commands
into an input field, an intruder might be able to do things your database
that you did not intend. This is particular a danger if that input field
in on a web site. The trick is simple: Use an ' to close the string and
also a -- at the end to kill the syntax that comes after the query.

The remedy for this problem is simple: rather than building the complete
SQL statement, you use a parameterised statement:

Dim sqlStr As String = "SELECT DISTINCT Last_Name FROM [" & PubName &
"] WHERE PostalCode = @postalcode And Title= @title "

You then add the parameters with .AddParameter which I believe is on
the command object. (I'm not a very frequent ADO .Net programmer, so
I don't remember the details.) I encourage you to look it up. And I
cannot stress enough that this is essential stuff.

As you may note, I did not use a parameter for the table name; This is
because table names cannot be parameterized. Usually if you find the need
to determine the table name dynamically, this is a strong indiciation of
a poor database design.

--
Erland Sommarskog, SQL Server MVP, es****@sommarskog.se

Books Online for SQL Server SP3 at
http://www.microsoft.com/sql/techinf...2000/books.asp
Jul 23 '05 #6
> now for title enter the following string:
' DROP TABLE [AIM International] --


Well, technically you'd need:
[AIM International]; DROP TABLE [AIM International] --

You have to finish that first SQL statement before you can in inject
new code.

I agree that if the table name is a parameter it indicates that the
database is not normalized, but if you *had* to do it that way then I'd
suggest putting the table names into an array and just passing as input
an index to the array (and of course doing bounds checking on it.)

Jul 23 '05 #7
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

9
Table name lengths...
by: Chris Bowlby | last post by:
Hi All, I've noticed that in the pg_type system table, there is a data type called "name", would that represent the definition of the table name space, including the max length a talbe name...
PostgreSQL Database
4
MySQLdb question... using table name as arg
by: Sean Berry | last post by:
I have four tables that all have the same column names (50 in each.) I have created an admin program to edit, delete and add records to the tables and would like to use the table name as a...
Python
3
MySQL dynamic table name within query
by: ryanmhuc | last post by:
Is it possible to have a dynamic table name within a query or a table name that is a variable? This does not work but gives an example: SELECT * FROM concat('table', 'name') - OR - SET @table...
MySQL Database
2
Retrieve the table name behind a control on a subform
by: SueA | last post by:
Can anyone help me with the code to retrieve the name of the table that a control on a form (that's built off a query) refers to? For instance: qryMfrsAndBrands is based on the tables:...
Microsoft Access / VBA
7
Query Table Name
by: bluenewport | last post by:
I union several tables by query. And I plan to use table name to identify data source. Any one can help? Thnaks
Microsoft Access / VBA
11
Trouble passing mysql table name to php function and using it!
by: kennthompson | last post by:
Trouble passing mysql table name in php. If I use an existing table name already defined everything works fine as the following script illustrates. <?php function fms_get_info() { $result =...
PHP
5
Loading Access query table into MSFlexgrid
by: sansann | last post by:
Hello there! i need help on loading data from my Access database query table name combine into my MSFlexgrid select by batchno category. when i runn below coding the error said "Selected collating...
Visual Basic 4 / 5 / 6
2
HowTo? LINQ Query Table Name (Range Variable) Not Known Until Runtime
by: Joey | last post by:
I am querying a DataSet with LINQ. I am running into a problem when trying to construct my query because in the "from" clause I do not know the table name (range variable) until runtime. Possible...
ASP.NET
10
irfanafzal
How to change query table name at run time in crystal report
by: irfanafzal | last post by:
Hello I have saved query in MS Access "SELECT ID ,Name, Address from Data2001" I am using this query in Crystal report My question is this can I change table name in this query "DATA2001" to...
Visual Basic 4 / 5 / 6
1
Cloud Servers without Credit Card and Email Registration: A Simpler Way to Get on the Cloud
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
General
0
Wordpress or something else?
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
Content Management Systems
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!