Variable table name using dynamic SQL in C#

Question

I\'ve been looking around for a way to enter a variable table name and it seems the best way is to use dynamic sql, although it can lead to SQL injection. Can anyone demonst

Answer 1

The simplest way is to simply use string concatenation to put the table name into your SQL query. However, you'd still be open to SQL injection as long as a malicious user can inject an arbitrary string into your query. For instance, let's say your API URL is http://example.org/all?table_name=customer&order=desc, and you are just extracting "table_name" from the URL for the user name.

You should prevent possible SQL injections by having a static server side whitelist of valid table names (e.g. String[] ValidTableNames = new String[] { "customer", "purchase", ... }, and ensuring that the table_name param value is one of these values before adding it to your SQL query.