Member Avatar for fuhanspujisaputra

Hi everyone, i have a problem where i cannot solve it. So, i decided to post here my problem is, probably you guys can help me out.

Well, here is my case:
1. i already can make a new table based on the username that user type in the registration form and store it to the database.

Here is my problem:

  1. I want to when the user login through the login form, the database loaded based on the username.
    For example: i created the table name: "Fuhans" at the database, and when i login through the login form, i used the name "Fuhans" as the username, and the database loaded based on the username that i type (for now it is Fuhans).

Here is my question:

  1. What happen and how do i make it happen if the user is different? For example: the code of the OLEDBCommand is fixed "FROM [Fuhans]", and user type different name in the username at the login form, this is the case that whatever user type in the username at the login form, the database is load "Fuhans" table. What i want is whatever the user type at the username in the login form, the database is loaded based on the username.

Here is the link of the screenshot or the code that prove my case above:
1. Here and Here.

  1. OleDbCommand cmd = new OleDbCommand("SELECT [Code] FROM ['" + firstForm.textBox1.Text + "']", conn);

That code above doesn't work for me.. textBox1.Text is where the username at the login form.
What i have tried with the above code is, if the user type "A" as the username, the program look at the database whether there is table name "A" in the database, if it is valid (or there is), the database load.

Thanks in advance!

  • 3 Contributors
  • 2 Replies
  • 265 Views
  • 4 Days Discussion Span
  • Latest Post Latest Post by gusano79
Member Avatar for Ketsuekiame

Use String.Format to create your query string. Personally, I don't like what you're doing from a design aspect, it seems...dangerous :P

Anyhow, in your case you would put string query = String.Format("select [Code] from [{0}]", textBox1.Text);

Note that this is extremely dangerous and is a gaping wide hole for SQL Injection attacks.

Member Avatar for gusano79

This is also problematic from performance and maintenance perspectives. In a real-world database, you don't want to have special tables per user. Instead, consider a separate Users table that your user data table refers to. Your query ends up looking more like this:

SELECT [Code] FROM [UserData] ud WHERE ud.UserID = ####

Of course, you'll have to look up the UserID when they log in; I wouldn't recommend using the user name as the search criterion (for performance reasons).

Also, consider using parameterized queries instead of building the query string yourself. This addresses the SQL injection issue, and may also improve performance if the backing database caches execution plans.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.