c# - SqlDataAdapter -- prevent SQL injection on table name? -

i have following code:

sqldataadapter adapter = new sqldataadapter("select top 0 * [tablename]", conn); datatable dt = new datatable(); adapter.fillschema(dt, schematype.mapped);

i using build datatable of table schema.

normally, when people asking sql injection, talking query params :), question table name:

select top 0 *  [tablename]

[tablename] going dynamic / determined @ runtime (this framework btw)...

the tablename passed method not trusted, want make sure there isn't funny business going on?

do have manually scrub table name (and i'm sure i'll miss something)? or there built in method that? or somehow prevent sql injection on table name?

you go rules valid table names

128 char - letters, numbers, , limited other special characters

in rules don't think injection

createtable see table_name
valididentifier

Abbruzzese

Search This Blog

c# - SqlDataAdapter -- prevent SQL injection on table name? -

Comments

Post a Comment