Sql Command Paramaters

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I'm building a dynamic command like this.
"SELECT * FROM Clients WHERE FirstName LIKE @FirstName"
and I set the paramater like this.

sqlCMD.Paramaters.Add("@FirstName", "%" & fnameVariable & "%")

The reason I'm doing this is I need it to search the whole field to see if it contains any of the text in "fnameVariable". My question is am I going to run into any problems if the user enters in any special characters for the "fnameVariable" (i.e. %, *, etc)?
I was under the impression that using the SqlCommand with paramaters was supposed to take care of that sort of stuff.
 
SubstandardSnowman said:
I'm building a dynamic command like this.
"SELECT * FROM Clients WHERE FirstName LIKE @FirstName"
and I set the paramater like this.

sqlCMD.Paramaters.Add("@FirstName", "%" & fnameVariable & "%")

The reason I'm doing this is I need it to search the whole field to
see if it contains any of the text in "fnameVariable". My question is
am I going to run into any problems if the user enters in any special
characters for the "fnameVariable" (i.e. %, *, etc)?
I was under the impression that using the SqlCommand with paramaters
was supposed to take care of that sort of stuff.
Click to expand...

SqlCommand takes care of quoting and formatting parameters so that the
correct value ends up being processed by the database. However, LIKE is
a slight oddity in that there's another level of processing going on
when you've got the value up to the database itself.

Could you use other SQL functions which don't require the same kind of
processing?
 
Hi,

SubstandardSnowman said:
I'm building a dynamic command like this.
"SELECT * FROM Clients WHERE FirstName LIKE @FirstName"
and I set the paramater like this.

sqlCMD.Paramaters.Add("@FirstName", "%" & fnameVariable & "%")

The reason I'm doing this is I need it to search the whole field to see if
Click to expand...
it contains any of the text in "fnameVariable". My question is am I going to
run into any problems if the user enters in any special characters for the
"fnameVariable" (i.e. %, *, etc)?
I was under the impression that using the SqlCommand with paramaters was
Click to expand...
supposed to take care of that sort of stuff.

Parametrised query protects you from injection attack and takes care of
quoting.
What problems have you in mind?
 
I really doubt that SQLCommand parameters will deal problems like that.
Because it cannot really know if the % in the middle of fnameVariable
should be dealt as a wildcard character or not.
To use wildcard characters as literals include them in [] bracets.
that is '%a' will find match any string ending with a while '[%]a' will match strings containing '%a'
 
Back
Top