Using "Like" operator in parameterized queries

Friday, December 19, 2008

As you know parameterized queries has two benefit against regular queries .

First for preventing of some SQL injection attacks and second take advantages of query plan caching.

One simple example is like this.

string command = "Select FirstName from UsersTable where Age = @Age";
SqlCommand cmd = new SqlCommand(command);
cmd.Parameters.AddWithValue("@Age", textBox1.Text);

But if you want to use "Like" operator in query, scenario is a bit different.

In this post I introduce two way for doing that.

1 . using "Like" operator with plus sign in query :

string command = "Select FirstName from UsersTable where FirstName Like
'%'+ @FirstName + '%'  ";
SqlCommand cmd = new SqlCommand(command);
cmd.Parameters.AddWithValue("@FirstName", textBox1.Text);

2. using percentage sign when parameter assignments :

string command = "Select FirstName from UsersTable where FirstName
Like @FirstName";
SqlCommand cmd = new SqlCommand(command);
cmd.Parameters.AddWithValue("@FirstName", string.Format("%{0}%", textBox1.Text)); 

Have a good time!

5 Comments

Doesn't #1 have a potential Sql injection problem?

------------------------------------------------------------------------

@ AndrewSeven

No , that is safe, you can test it.

AndrewSeven - Friday, December 19, 2008 8:10:06 PM

Thanks a million for this post; I'd been trying to debug my asp.net sql statement for a while and couldn't figure out why the sql statement wouldn't execute properly within .net.

Alex - Monday, July 13, 2009 7:05:05 PM

Thank you very much for this post. This will helps me with a search bar on an inventory system I am working on.

DChiShaggy - Friday, May 28, 2010 3:31:31 PM

Thank you .It works...

I used No 1 option

on data binding controls

Kasun Wickramarathna - Sunday, April 17, 2011 10:52:04 AM

thank u

bijjula - Wednesday, August 29, 2012 8:35:48 AM

Comments have been disabled for this content.