System.Data.SqlClient.SqlException: 'Incorrect syntax near '='.' on Datatable and object

Question

I've looked at a lot of similar questions on this site and elsewhere but none of them have helped me.

I'm trying to make a database connection with a query but I get the error

System.Data.SqlClient.SqlException: 'Incorrect syntax near '='.'

on 2 different lines of code. I've tried to use spaces in the query around the = but that doesn't help.

Code 1 is:

string connectieString = dbConnection();

SqlConnection connection = new SqlConnection(connectieString);

SqlCommand select = new SqlCommand();
select.Connection = connection;

select.Parameters.Add("@attackCategory", SqlDbType.NChar).Value = attackCategory;
select.Parameters.Add("@taughtOn", SqlDbType.NVarChar).Value = taughtOn;
select.CommandText = "SELECT ID, Name FROM attackCategory = @attackCategory WHERE TaughtOn = @taughtOn";

using (SqlDataAdapter sda = new SqlDataAdapter(select.CommandText, connection))
{
    DataTable dt = new DataTable();
    sda.Fill(dt);

    return dt;
}

The exception is thrown on the sda.Fill(dt); line of code. This code works if no parameters are used in the query:

string cmd = @"select ID, Name from " + attackCategory + " where TaughtOn ='" + taughtOn + "'";

And code 2 is:

string connectieString = dbConnection();

SqlConnection connection = new SqlConnection(connectieString);

SqlCommand select = new SqlCommand();
select.Connection = connection;

select.Parameters.Add("@attackCategory", SqlDbType.NVarChar).Value = attackCategory;
select.Parameters.Add("@ID", SqlDbType.Int).Value = id;
select.CommandText = "SELECT Name FROM attackCategory = @attackCategory WHERE ID = @ID";

connection.Open();
object name = select.ExecuteScalar();
connection.Close();

return name;

The exception fires on the object name = select.ExecuteScalar(); line of code. This code works if 1 parameter is used in the query:

select.Parameters.Add("@ID", SqlDbType.Int).Value = id;
select.CommandText = "SELECT Inhabitants FROM Planet WHERE ID=@ID";

Answer 1

You cannot provide table name has parameter, parameter applies in where clause with columns value.

string cmd = @"select ID, Name from " + attackCategory + " where TaughtOn ='" + taughtOn + "'";

but, we need to simplify to use parameter in this query.

SqlCommand select = new SqlCommand();
 select.Connection = connection;
 select.Parameters.Add("@taughtOn", SqlDbType.VarChar,50).Value = taughtOn;
 string cmd = @"select ID, Name from " + attackCategory + " where TaughtOn  =@taughtOn"; 
 select.CommandText = cmd;

In the above tsql query, string concatenation applies and table name is included in the string, which will work.

Edit:-

I get it why you the sqlDataAdapter is not Recognizing the parameter. Reason is you have not provided it. Yes, That's right you have provided the CommandText and not the Command Object which is of select variable.

I have corrected your code.

select.Parameters.Add("@taughtOn", SqlDbType.VarChar, 50).Value = taughtOn; 
string cmd = @"select ID, Name from " + attackCategory + " where TaughtOn =@taughtOn"; 
select.CommandText = cmd; 
select.Connection = new SqlConnection("provide your sql string");
using (SqlDataAdapter sda = new SqlDataAdapter(select)) 
{ 
DataTable dt = new DataTable(); 
sda.Fill(dt); 
return dt; 
}

Hope this helps !!

Answer 2

You can't bind object names like that. For object names, you'll have to resort to some sort of string concatenation. Eg:

select.Parameters.Add("@taughtOn", SqlDbType.NVarChar).Value = taughtOn;
select.CommandText = "SELECT ID, Name FROM " + attackCategory + " WHERE TaughtOn=@taughtOn";

Note:
This is an over-simplified solution that does nothing to mitigate the risk of SQL-Injection attacks. You'll need to sanitize attackCategory before using it like this.