19

I am trying to build SQL for a parameter query in C# for a query which will contain the LIKE %% command.

Here is what I am trying to acheive (please note that the database is Firebird)

var SQL = string.format("SELECT * FROM {0} WHERE {1} LIKE '%?%'", TABLE, NAME);
 cmd.Parameters.AddWithValue(NAME, "JOHN");

Now I have tried every single permutation to get the parameter to work, I have tried;

  • Adding the % character to the parameter,

    cmd.Parameters.AddWithValue(NAME, "%" + "JOHN" + "%");

  • or

    cmd.Parameters.AddWithValue(NAME, "'%" + "JOHN" + "%'");

I cannot seem to get this to work, how can I use a parameter for the LIKE query to work.

Suggestions are welcome!

Improve this question
2
  • it seems like there is some missing code, where are you assigning the SQL to the command? What error are you getting or is the query result just not what you expect? Commented Mar 19, 2009 at 22:37
  • yes, SQL is being assigned to the Cmd.CommandText parameter. Commented Mar 19, 2009 at 22:50

3 Answers 3

Reset to default
28

You can't have parameters inside of a string literal in the query. Make the entire value the parameter, and add the wildcards to the string:

var SQL = string.format("SELECT * FROM {0} WHERE {1} LIKE ?", TABLE, NAME);
Cmd.Parameters.AddWithValue(NAME, "%" + "JOHN" + "%");
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Pay closer attention: he moved the wild cards to the parameter. This will work, but imo it's the wrong way to do it.
@Myhiad: Notice that there is only ? after the like operator, no wildcard characters and no apostrophes.
@Joel Coehoorn: There is no reason to be rude. The question doesn't contain any information about how the query looks after the parameter has been changed.
5 
var SQL = string.Format("SELECT * FROM {0} WHERE {1} LIKE '%' + ? + '%'", TABLE, NAME);
Cmd.CommandText = SQL;
Cmd.Parameters.Add("?", SqlDbType.VarChar, 50).Value = "JOHN";
Improve this answer

5 Comments

is this SQL valid for Firebird?
I didn't see the firebird requirement. I updated the sql to make sure it's okay, but the parameter code is wrong because the SqlDbType enum was intended for Sql Server. I still like to avoid AddWithValue, though
this is just not working for me. I am getting the following error; FirebirdSql.Data.FirebirdClient.FbException : Dynamic SQL Error expression evaluation not supported ----> FirebirdSql.Data.Common.IscException : Exception of type 'FirebirdSql.Data.Common.IscException' was thrown.
For Firebird (and standard SQL), you need to use the || concatenation operator instead of +, that is LIKE '%' || ? || '%'
I wanted to see how to do it with SQL Server, so your original answer still has value. You may consider showing both versions in your answer.
-4

In the past when doing this, i've simply integrated it into the sql, making sure that i replace single quotes with question marks to deal with sql injection. Eg:

var SQL = string.format("SELECT * FROM {0} WHERE {1} LIKE '%{2}%'",
  TABLE,
  NAME,
  JOHN.Replace("'","?"));
Improve this answer

2 Comments

It would be better to replace single quotes with two single quotes, so that legitimate searches including quotes actually work. Replace("'", "''")
it exposes to sql injection attacks

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.