I am using text boxes, textbox1 accepts the value for the existing field and textbox2 accepts new field name. when I click on the button, the corresponding field name I entered in textbox1 in the d/b should change as entered in the textbox2 .
protected void Button1_Click(object sender, EventArgs e)
{
//str = "sp_RENAME 'book.author','Au_Name','COLUMN'";
str = "sp_RENAME 'book.'" + TextBox1.Text + "','" + TextBox2.Text + "','COLUMN'";
SqlConnection con = new SqlConnection("Data Source=.;Initial Catalog= Library;Integrated Security=true");
con.Open();
SqlCommand cmd = new SqlCommand(str, con);
SqlDataReader dr = cmd.ExecuteReader();
//("SELECT * FROM IMSLogin WHERE Uname = '" + Uname + "' AND PWD= '" + pwd + "'", con)
}Thanks Very much,
Thanks in advance!!
1条答案
按热度按时间gwbalxhn1#
The first and most obvious problem is that user input is sent directly to the db.
The second problem, which may solve your question, is the single quotation behing
sp_rename 'book.From comment: Replace
with
(and maybe add some checks on the content of TextBox1.Text)