tags:

views:

2168

answers:

5
+4  Q: 

Howto? Parameters and LIKE statement SQL

I am writing a searching function, and have thought up of this query using parameters to prevent, or at least limit, SQL injection attacks. However, when I run it through my program it does not return anything:

SELECT * FROM compliance_corner WHERE (body LIKE '%@query%') OR (title LIKE '%@query%')

Can parameters be used like this? or are they only valid in an instance such as:

SELECT * FROM compliance_corner WHERE body LIKE '%<string>%' (where <string> is the search object).

EDIT: I am constructing this function with VB.NET, does that have impact on the syntax you guys have contributed?

Also, I ran this statement in SQL Server: SELECT * FROM compliance_corner WHERE (body LIKE '%max%') OR (title LIKE %max%')` and that returns results.

A: 

You may have to concatenate the % signs with your parameter, e.g.:

LIKE '%' || @query || '%'

Edit: Actually, that may not make any sense at all. I think I may have misunderstood your problem.

Will Wagner  2008-10-30 18:44:12
+4  A: 

Try:

select * from compliance_corner
   where (body like '%' + @query + '%') or (title like '%' + @query + '%')
tvanfosson  2008-10-30 18:44:50
As Adam has pointed out in his answer, this does not protect against SQL injection. The query should be parameterized.
DOK  2008-10-30 19:56:30
A: 

you have to do:

LIKE '%' + @param + '%'

Andrew Bullock  2008-10-30 18:46:20
+7  A: 

Your visual basic code would look something like this:

Dim cmd as New SqlCommand("SELECT * FROM compliance_corner WHERE (body LIKE '%' + @query + '%') OR (title LIKE '%' + @query + '%')")

cmd.Parameters.Add("@query", searchString)
John  2008-10-30 18:54:17
As Adam has pointed out in his answer, this does not protect against SQL injection. The query should be parameterized.
DOK  2008-10-30 19:58:18
Could you provide an example where this does not prevent against SQL injection? From my testing it works fine
John  2008-10-30 20:32:47
+5  A: 

Well, I'd go with:

 Dim cmd as New SqlCommand(
 "SELECT * FROM compliance_corner"_
  + " WHERE (body LIKE @query )"_ 
  + " OR (title LIKE @query)")

 cmd.Parameters.Add("@query", "%" +searchString +"%")
James Curran  2008-10-30 19:15:33
This is correct, the accepted answer provided by John has the wrong syntax!
Adam  2008-10-30 19:49:49
I am unsure how his syntax is incorrect, his solution worked just fine. I have a function that constructs and returns an SQL statement for use in a datatable or whatever else.
Anders  2008-10-30 19:56:08
Additional Note:Syntax for C# using the MySQLDataAdapter =da = new MySQLDataAdapter("SELECT * FROM tableA WHERE fieldA = @fieldA");da.SelectCommand.Parameters.AddWithValue("@fieldA","%" + someValue + "%");
John M  2010-05-11 19:21:12

related questions

What are the most important functional differences between C# and VB.NET?
Setting Group Type for new Active Directory Entry in VB.NET
ASP.Net Datagrid: in Footer calculate Avg or Sum for column
Opening a file in my application from File Explorer
HTML Email Editor in a Windows Forms Application
Datatables, Dataviews and distincts! (ASP.Net/VB)
Naming convention for VB.NET private fields
Visual Studio - new "default" property values for inherited controls
Change the width of a scrollbar
Is String.Format as efficient as StringBuilder
Default Form Button in FireFox
VB.NET - IsNothing versus Is Nothing
'Break' equivalent keyword for VB
What is the best way to wrap time around the work day?
Best SVN Client Ignore Pattern for VB.NET Solutions?
Long-time LAMP Developer moving to VB.NET
What's the best way to find long-running code in a Windows Forms Application
What is the best way to deploy a VB.NET application?
'Best' Diff Algorithm
Setting Objects to Null/Nothing after use in .NET
CSV File Imports in .Net
How do you migrate a large app from VB6 to VB .net ?
Floating Point Number parsing: Is there a Catch All algorithm?
Decoding T-SQL CAST in C#/VB.net
Reliable Timer in a Console Application