Kalil

Kalil

  • NA
  • 2
  • 0

Parametrized SQL table name OR?

Feb 1 2006 2:22 AM

Hello,

I am new to ASP/C#/SQL programming and to this forum, and trying to learn as quickly as possible.

I am creating a web interface for someone not very computer literate to be able to create new customers. (I believe security is not an issue as the database,application and web servers are all on the same machine on an intranet).

In the database, I have a table where I store username (unique identifier) and passwords for customers.
In the aspx. OnSubmit (of t1.Text & t2.Text ie. username & password), these, if valid, are added to the "customers" table.
However, OnSubmit, I also want to create a new permanent table in the database, where I know the columns (transaction date, amount, description....) in advance but not the table name. I want the table name to be "username".

Obviously, I can format the command string and put t1.Text where it should be. But I have read about SQLInjection, so I would rather use a parameter as the table name. But this does not seem to be possible (even if the code is in a stored procedure rather than with the aspx. page).

Is it possible to parametrize the table name? If not, what is the solution?
Is it possible to parametrize the owner of the table?
I guess that, since i am validating the username, there is no risk of SQLInjection anyway and I could just put t1.Text (after validation) in the command string?

Thanks a lot!