I am trying to put up a code to create a databases from my C# code (asp.net website).

我正在尝试建立一个代码，从我的c#代码(asp.net网站)创建一个数据库。

This is my code:

这是我的代码:

SqlCommand myCommand = new SqlCommand("CREATE DATABASE @dbname", nn);
myCommand.Parameters.Add("dbname", dbname);

myCommand.ExecuteNonQuery();
nn.Close();

well, its not working. its giving me an error:

嗯,它不工作。它给了我一个错误:

incorrect syntax near '@dbname'

不正确的语法@dbname的附近

BUT. if I won't use parameters, people can SQL inj to my database. do you have any idea how can use anything, to get the database name from a textbox. and that people can't SQL inj me database?

但是。如果我不使用参数，人们可以SQL inj到我的数据库。你知道如何从文本框中获取数据库名吗?人们不能SQL inj数据库吗?

1 个解决方案

#1

---