Renaming a Field name by accepting values from textboxes…It shows "Unclosed quotation mark after the character string ''

Question

I am using text boxes, textbox1 accepts the value for the existing field and textbox2 accepts new field name. when i click on the button, the corresponding field name i entered in textbox1 in the d/b should change as entered in the textbox2.

protected void Button1_Click(object sender, EventArgs e) { //str = "sp_RENAME 'book.author','Au_Name','COLUMN'";

    str = "sp_RENAME 'book.'" + TextBox1.Text + "','" + TextBox2.Text + "','COLUMN'";
    SqlConnection con = new SqlConnection("Data Source=.;Initial Catalog= Library;Integrated Security=true");
    con.Open();
    SqlCommand cmd = new SqlCommand(str, con);
    SqlDataReader dr = cmd.ExecuteReader();

    //("SELECT * FROM IMSLogin WHERE Uname = '" + Uname + "' AND PWD= '" + pwd + "'", con)

}

Thanks Very much,

Thanks in advance!!

Linky Linky · Accepted Answer · 2013-08-07T22:31:47

The first and most obvious problem is that user input is sent directly to the db.

The second problem, which may solve your question, is the single quotation behing sp_rename 'book.

From comment: Replace

str = "sp_RENAME 'book.'" + TextBox1.Text

with

str = "sp_RENAME 'book." + TextBox1.Text

(and maybe add some checks on the content of TextBox1.Text)

Renaming a Field name by accepting values from textboxes…It shows "Unclosed quotation mark after the character string ''

1 Answers