C# SQL Select Query table parameter

Question

I am trying to select from a table where the table name is being assigned from a variable as im using two different tables. However it comes up with a DB2Exception Error.

db2Error = {"ERROR [42601] [IBM][AS] SQL0104N  An unexpected token \"'TABLENAME'\" was found following \"\". 

This query is the one which causes the error - Table name is a string which has the names of the table.

string strUpdate = "SELECT COMMENT FROM '" + tableName + "' WHERE NUMBER = '" + strNumber + "' AND CODE = '" + c.Trim() + "' ";

This query works fine though -

 //  string strUpdate = "SELECT COMMENT FROM TABLE WHERE NUMBER = '" + strNumber + "' AND CODE = '" + c.Trim() + "'";

Is it possible to parametrise/use variable for the table name?

Answer 1

Why are you using qoutes in your from statement? it should just simply be

select sysdate 
from dual;

Also use the SqlCommand class to add parameters in your selectstatement as follows.

string strUpdate = "SELECT COMMENT FROM @tablename WHERE NUMBER = @strnumber AND CODE = @c";
SqlCommand insertCommand = new SqlCommand(strUpdate , connection);
insertCommand.Parameters.AddWithValue("@tableName ", tableName );
insertCommand.Parameters.AddWithValue("@strNumber ", strNumber );
insertCommand.Parameters.AddWithValue("@c", c.trim());

Answer 2

SQL injection risk aside, the two shown queries are simply not the same .

The query you showed is

string strUpdate = "SELECT COMMENT FROM TABLE WHERE NUMBER = " etc.

However, the code you showed produces the following query:

string strUpdate = "SELECT COMMENT FROM 'TABLE' WHERE NUMBER = " etc.

The table name should simply not be in quotes. And given the fact you're not using parameters, this isn't even the parameter system's fault; the quotes are right there in your own query-constructing code. Just delete them.