i am adding parameter by
qry = qry.Replace("{criteria}", "info.abc LIKE '%?val%'");
command not worked if i removed ' ' from the command then it give a error how i can search the table in c#
views:
113answers:
2
+2
A:
As per the syntax of TSQL - Like you require to put search value between ' '
Example :
WHERE title LIKE '%computer%'
syntax
match_expression [ NOT ] LIKE pattern [ ESCAPE escape_character ]
Pranay Rana
2010-09-03 12:11:41
A:
Another way to do this which is more explicit - and in my opinion more readable because it avoids the crockety parts of the SQL syntax:
SqlDataReader r = new SqlCommand("SELECT * FROM the_table").ExecuteReader();
object[] values = new object[5000];
r.GetValues(values);
foreach (string value in values)
if (value.Length > 4)
if (value.Contains("val"))
new SqlCommand("UPDATE the_table SET value = 'newValue' WHERE "+
"value = '"+value+"'").ExecuteNonQuery();
CSpangled
2010-09-03 14:28:11
This solution has a risk of sql injection (see http://en.wikipedia.org/wiki/SQL_injection). It would be better to use parameterized queries. Also, it it can have a high impact on performance (it needs to run as many queries as there are records in "the_table")
ckarras
2010-09-03 14:38:20
@ckarras: Thanks, didn't know about the SQL inject attack. Performance shouldn't be a worry, though. Focus first on getting it right, then on getting it fast if you need to.
CSpangled
2010-09-03 19:37:29
@CSpangled :- `Focus first on getting it right, then on getting it fast if you need to`. Where is the connection string used? Without connection string how will it know which database and which instance to execute command against?
Ankit Rathod
2010-09-06 17:24:54