81

I am writing a searching function, and have thought up of this query using parameters to prevent, or at least limit, SQL injection attacks. However, when I run it through my program it does not return anything:

SELECT * FROM compliance_corner WHERE (body LIKE '%@query%') OR (title LIKE '%@query%')

Can parameters be used like this? or are they only valid in an instance such as:

SELECT * FROM compliance_corner WHERE body LIKE '%<string>%' (where <string> is the search object).

EDIT: I am constructing this function with VB.NET, does that have impact on the syntax you guys have contributed?

Also, I ran this statement in SQL Server: SELECT * FROM compliance_corner WHERE (body LIKE '%max%') OR (title LIKE%max%')` and that returns results.

Improve this question

6 Answers 6

Reset to default
117

Well, I'd go with:

 Dim cmd as New SqlCommand(
 "SELECT * FROM compliance_corner"_
  + " WHERE (body LIKE @query )"_ 
  + " OR (title LIKE @query)")

 cmd.Parameters.Add("@query", "%" +searchString +"%")
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

This is correct, the accepted answer provided by John has the wrong syntax!
I am unsure how his syntax is incorrect, his solution worked just fine. I have a function that constructs and returns an SQL statement for use in a datatable or whatever else.
Additional Note: Syntax for C# using the MySQLDataAdapter = da = new MySQLDataAdapter("SELECT * FROM tableA WHERE fieldA = @fieldA"); da.SelectCommand.Parameters.AddWithValue("@fieldA","%" + someValue + "%");
The other answer (from John) works too, but is indeed vulnerable to like injection, which MIGHT give strange results, depending on the purpose of your field.
Shouldn't be the cmd.Parameters.Add becomes cmdLoad.Parameters.AddWithValue or is there any issue? I understand that James's answer is from 2008 :)
|
77

Your visual basic code would look something like this:

Dim cmd as New SqlCommand("SELECT * FROM compliance_corner WHERE (body LIKE '%' + @query + '%') OR (title LIKE '%' + @query + '%')")

cmd.Parameters.Add("@query", searchString)
Improve this answer

6 Comments

As Adam has pointed out in his answer, this does not protect against SQL injection. The query should be parameterized.
Could you provide an example where this does not prevent against SQL injection? From my testing it works fine
It's not open to SQL injection, just LIKE injection. This means the user can enter special characters such as % ^ and _ which LIKE will interpret specially. This means the user may not get what they expect for certain searches. As an example, a search for 'less than 1% fat' may return the result 'less than 1% of doctors recommend this - it's full of fat!'.
I agree, the like is subject to "Like Injection" and that the harm is only the user not getting what they expect. Query sanitation should be performed at all times even when parameterized. Relying on that protection alone is not exactly secure.
I'd also recommend doing searchString.Replace("[","[[]").Replace("%","[%]").Replace("_","[_]"), which will avaoid LIKE injection (as long as you're not using the escape clause).
|
25

you have to do:

LIKE '%' + @param + '%'

Improve this answer

1 Comment

excellent solution - would give it more than +1 if possible! Thanks
1

You may have to concatenate the % signs with your parameter, e.g.:

LIKE '%' || @query || '%'

Edit: Actually, that may not make any sense at all. I think I may have misunderstood your problem.

Improve this answer

Comments

1

Sometimes the symbol used as a placeholder % is not the same if you execute a query from VB as when you execute it from MS SQL / Access. Try changing your placeholder symbol from % to *. That might work.
However, if you debug and want to copy your SQL string directly in MS SQL or Access to test it, you may have to change the symbol back to % in MS SQL or Access in order to actually return values.

Hope this helps

Improve this answer

1 Comment

I don't know for sure at 2012, but this % vs * is specific to ADO vs DAO engines. If you are using DAO, or Current() in Access the Wildcard is *; if using ADO from any code, including VBA inside Access, the Wildcard is %.
1

try also this way

Dim cmd as New SqlCommand("SELECT * FROM compliance_corner WHERE (body LIKE CONCAT('%',@query,'%')  OR  title LIKE CONCAT('%',@query,'%') )")
cmd.Parameters.Add("@query", searchString)
cmd.ExecuteNonQuery()

Used Concat instead of +

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.