how can I convert this code:
SELECT * FROM DB
WHERE field LIKE N'%'+RTRIM(LTRIM('98'))+N'%'
to:
SET @stringWhere= ' SELECT * FROM DB AND field LIKE '+N'%' +RTRIM(LTRIM(@field))+ N'%';
-
5That isn't what you want to do at all. You should NEVER build up a string like that. You should use parameterized queries to prevent sql injection. And of course the desired string you are asking for is not valid as there is no where clause.Sean Lange– Sean Lange2018-05-07 16:48:46 +00:00Commented May 7, 2018 at 16:48
-
5It's not clear to me what you're asking. Consider reviewing how to ask a good question. And as @SeanLange suggested, read up on SQL injection.Joe Farrell– Joe Farrell2018-05-07 16:50:21 +00:00Commented May 7, 2018 at 16:50
-
Hello, Masi, and welcome to Stack Overflow! As currently written your question is not clear, and may get closed. Don't give up. Improve your question so that it can be easily understood and you'll find that those close votes will be removed.STLDev– STLDev2018-05-07 16:57:37 +00:00Commented May 7, 2018 at 16:57
-
Do you want to know, that single quotes have to be doubled to escape them?sticky bit– sticky bit2018-05-07 17:39:00 +00:00Commented May 7, 2018 at 17:39
Add a comment
|
2 Answers
Kind of guessing here. Please the code below. And make sure you look at the comments in the code as there are several things that could use improvement.
declare @field nvarchar(10) = N'98'
select * --don't use *, select ONLY the columns you need
from DB
where Name like '%' + @field+ '%' --be careful here, this is a nonSARGable predicate with the leading wildcard. As such all indexes will be rendered useless.
Comments
I find answer my question, If I want to set SELECT command in SQL with string format we can use:
SET @stringWhere= 'SELECT * FROM DB AND field LIKE '+'N''%'+ RTRIM(LTRIM(@field))+'%'''+' ' ;