Upseporobef
New Member
I am trying to put up a code to create a databases from my C# code (asp.net website). This is my code:\[code\]SqlCommand myCommand = new SqlCommand("CREATE DATABASE @dbname", nn);myCommand.Parameters.Add("dbname", dbname);myCommand.ExecuteNonQuery();nn.Close();\[/code\]well, its not working. its giving me an error:\[quote\] incorrect syntax near '@dbname'\[/quote\]BUT. if I won't use parameters, people can SQL inj to my database. do you have any idea how can use anything, to get the database name from a textbox. and that people can't SQL inj me database?