I have an SQL query of this form
string cmdText = \"Select * from \" + searchTable
+ \"WHERE \" + searchTable
+ \"Name =\' \" + searchValue + \"\'\";
You can put (and should!) parameters into your SQL queries for the values in e.g. your WHERE
clause - but you cannot parametrize stuff like your table name.
So I'd rewrite that query to be:
SELECT (list of columns)
FROM dbo.Actor
WHERE ActorName = @ActorName
and then pass in just the value for @ActorName
.
If you need to do the same thing for directors, you'd have to have a second query
SELECT (list of columns)
FROM dbo.Directors
WHERE DirectorName = @DirectorName
Using parameters like this
PS: the original problem in your setup is this: you don't have any space between the first occurence of your table name and the WHERE
clause - thus you would get:
SELECT * FROM ActorWHERE ActorName ='.....'
If you really insist on concatenating together your SQL statement (I would NOT recommend it!), then you need to put a space between your table name and your WHERE
!
Update: some resources for learning about parametrized queries in ADO.NET:
There is a blank missing and one too much:
searchTable + "Name =' "
should read
searchTable + " Name ='"
Beside that, use SQL parameters to prevent SQL injection.
You shouldn't concatenate string to SQL, as this will open you up to SQL Injection attacks.
This is a rather long read about dynamic SQL, but worth reading to understand the risks and options.
You should be using parameterized queries instead, though the only way to use a table name as a parameter is to use dynamic SQL.
I urge you to change your approach regarding table names - this will lead to problems in the future - it is not maintainable and as I mentioned above, could open you to SQL Injection.
The error you are seeing is a result of the concatenation you are doing with the "Where " clause - you are missing a space before it. You are also adding a space after the '
in the parameter ending with "Name".
Your resulting string, using your example would be:
Select * from ActorWHERE ActorName =' some actor';
string cmdText = "Select * from " + searchTable + " WHERE Name = '" + searchValue + "'";