2

I am trying to put up a code to create a databases from my C# code (asp.net website).

This is my code:

SqlCommand myCommand = new SqlCommand("CREATE DATABASE @dbname", nn);
myCommand.Parameters.Add("dbname", dbname);

myCommand.ExecuteNonQuery();
nn.Close();

well, its not working. its giving me an error:

incorrect syntax near '@dbname'

BUT. if I won't use parameters, people can SQL inj to my database. do you have any idea how can use anything, to get the database name from a textbox. and that people can't SQL inj me database?

Improve this question

1 Answer 1

Reset to default
4

You can't use parameters in CREATE DATABASE or other DDL commands.

I'd suggest using SQL Server Management Objects instead of SQL

Improve this answer
2
  • I see that link, but i can't understand anything, do you have a code sample? Commented Oct 1, 2012 at 10:25
  • Not to be snarky, but the posted link has the simplest possible sample code. Work at understanding it. Commented Oct 1, 2012 at 12:27

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.