I have a query string
that works fine if tableStr
is for example MSFT
. However, if tableStr is BRK-B
, the query
fails.
string query = "SELECT * FROM " + tableStr + " where DATE(Date) >= " + "'" + howFarBack.ToString("yyyy-MM-dd") + "'";
How do I get around this?
Advertisement
Answer
Per MySQL Documentation, “The identifier quote character is the backtick (`)”.
This means that if your table name has special characters in it, you need to surround the identifier with backticks. To avoid SQL injection problems, you should also escape all backticks `
by converting them to double backticks ``
.
For all other parameters, use command parameters to avoid SQL injection.
using var cmd = new MySqlCommand(); cmd.CommandText = "SELECT * FROM `" + tableStr.Replace("`", "``") + "` where DATE(Date) >= @howFarBack"; cmd.Parameters.AddWithValue("@howFarBack", howFarBack);