Im aware of how parameterised queries work, and ive used them in every non hardcoded query I've written so far, however when writing a function to create a dynamic query (for testing purposes) it made me question whether it would actually be safe to use "as is"
string sql = "SELECT * FROM Table WHERE";
string fullstring = "The quick brown fox jumped over";
string[] words = fullstring.Split(' ');
foreach (string item in words)
{
sql = sql + " Column LIKE '%" + item + "%' AND";
}
sql = sql.Remove(sql.Length - 3);
If I were to turn this into a query, the result would be
SELECT * FROM Table WHERE Column LIKE '%the%' AND Column LIKE '%quick%' AND Column LIKE '%brown%' AND Column LIKE '%fox%' AND Column LIKE '%jumped%' AND Column LIKE '%over%'
Now i'm still pretty sure that this is still open to injection attacks due to the lack of parameters, however i'm unsure how due to the delimiter being a space character making things like SELECT * FROM TABLE or DROP TABLE unable to be written in the string as each would be split into their own strings ie. SELECT,*,FROMand TABLE
Can anyone enlighten me further?
(Note, not planning on using this as an alternative to proper parameters, just trying to understand)
