The problem was to create a table dynamically by allowing the user to specify the table name and specify fields and field types. Now that was a pretty easy task but here is the problem. Since user input was involved in the sql statement, I wanted to use parameters to do it so I took the user input and built the statement using a Dictionary (Of String, String)
The problem is, my statement looked like this
CREATE TABLE @tableName (@field1 VarChar(50), @field2 VarChar(50))
I then added my parameters with their appropriate values just like I would with any other parameterized statement.
When the sql statement was executed I received syntax error on '@tableName'
When I used concatenation of the string values (bypassing parameters altogether), the statement of course worked perfectly.
So I guess the question is this:
Is there a way to allow a user to create a table by specifying this information with a parameter of sorts?
Is this being overly cautious?
I guess I should say, I never tried to inject anything to see what would happen because I was leaving work when I discovered this. But I really don't see why I couldn't all it would take is to enter a table name and complete it with a field and type and then I could put ;DROP TABLE blah -- and I would think I would have control of the statement.
This post has been edited by CharlieMay: 21 April 2012 - 08:29 AM