Alon M
Reputation: 1683
Create SQL Server database from C# - using parameters
I am trying to put up a code to create a databases from my C# code (asp.net website).
This is my code:
SqlCommand myCommand = new SqlCommand("CREATE DATABASE @dbname", nn);
myCommand.Parameters.Add("dbname", dbname);
myCommand.ExecuteNonQuery();
nn.Close();
well, its not working. its giving me an error:
incorrect syntax near '@dbname'
BUT. if I won't use parameters, people can SQL inj to my database. do you have any idea how can use anything, to get the database name from a textbox. and that people can't SQL inj me database?
Upvotes: 2
Views: 725
Answers (1)
podiluska
Reputation: 51494
You can't use parameters in CREATE DATABASE or other DDL commands.
I'd suggest using SQL Server Management Objects instead of SQL
Upvotes: 4
Related Questions
- Create SQL Database with parameters
- How to create a new SQL Server database from ASP.NET without using script
- How do I create a database programmatically in SQL Server?
- Creating a database programmatically in SQL Server
- Create a Database from Script Runtime
- Creating database in C# and SQL injection
- C# use script to create database
- How to create a SQL Server database programmatically in C#
- Create SQL Server table at runtime using asp.net
- Create SQL Server database programmatically with C#