Building dynamic sql query with deafult characters

G

Guest

Hi All,

What is the good way to handle a string which contains characters like
single quote (') or square bracket with LIKE ([]), while building a SQL
statement. Right now iam searching these characters in the string and adding
the escape chars for that.

eg 1: (This will fail to search)

String* searchVal = S"Test'quote";
String* str = S"";
str = String::Format(S"Select * from t1 where c1 = '{0}'", searchVal);

eg 2: (so i need to add a extra ' in the string)
String* searchVal = S"Test''quote";

Any other solutions for this

Hari
 
F

Frans Bouma [C# MVP]

Hari said:
Hi All,

What is the good way to handle a string which contains characters
like single quote (') or square bracket with LIKE ([]), while
building a SQL statement. Right now iam searching these characters in
the string and adding the escape chars for that.

eg 1: (This will fail to search)

String* searchVal = S"Test'quote";
String* str = S"";
str = String::Format(S"Select * from t1 where c1 = '{0}'",
searchVal);

eg 2: (so i need to add a extra ' in the string)
String* searchVal = S"Test''quote";

Any other solutions for this
Click to expand...

never concat values into a query. Use a parameter like this:
str = S"SELECT * FROM t1 WHERE C1=@param";

and then create a new parameter:
SqlParameter* param = new SqlParameter();
// fill in parameter's properties here.
// add it to the SqlCommand object:
cmd.Parameters.Add(param);

FB


--
 
G

Guest

Thanks Frans, Also Iam is works if use 'LIKE' within a where clause? (Iam
not sure about using wild characters within a param object???)
eg.

SELECT * from t1 WHERE c1 LIKE @param

Hari


Frans Bouma said:
Hari said:
Hi All,

What is the good way to handle a string which contains characters
like single quote (') or square bracket with LIKE ([]), while
building a SQL statement. Right now iam searching these characters in
the string and adding the escape chars for that.

eg 1: (This will fail to search)

String* searchVal = S"Test'quote";
String* str = S"";
str = String::Format(S"Select * from t1 where c1 = '{0}'",
searchVal);

eg 2: (so i need to add a extra ' in the string)
String* searchVal = S"Test''quote";

Any other solutions for this
Click to expand...

never concat values into a query. Use a parameter like this:
str = S"SELECT * FROM t1 WHERE C1=@param";

and then create a new parameter:
SqlParameter* param = new SqlParameter();
// fill in parameter's properties here.
// add it to the SqlCommand object:
cmd.Parameters.Add(param);

FB


--
Click to expand...
 
G

Guest

Hari,

One way:

cmd.CommandText = "Select * From Students Where Name Like @Name"
cmd.Parameters.Add("@Name", "%John%")

Kerry Moorman


Hari said:
Thanks Frans, Also Iam is works if use 'LIKE' within a where clause? (Iam
not sure about using wild characters within a param object???)
eg.

SELECT * from t1 WHERE c1 LIKE @param

Hari


Frans Bouma said:
Hari said:
Hi All,

What is the good way to handle a string which contains characters
like single quote (') or square bracket with LIKE ([]), while
building a SQL statement. Right now iam searching these characters in
the string and adding the escape chars for that.

eg 1: (This will fail to search)

String* searchVal = S"Test'quote";
String* str = S"";
str = String::Format(S"Select * from t1 where c1 = '{0}'",
searchVal);

eg 2: (so i need to add a extra ' in the string)
String* searchVal = S"Test''quote";

Any other solutions for this
Click to expand...

never concat values into a query. Use a parameter like this:
str = S"SELECT * FROM t1 WHERE C1=@param";

and then create a new parameter:
SqlParameter* param = new SqlParameter();
// fill in parameter's properties here.
// add it to the SqlCommand object:
cmd.Parameters.Add(param);

FB


--
Click to expand...
Click to expand...
 
A

Alec MacLean

Hari said:
Thanks Frans, Also Iam is works if use 'LIKE' within a where clause? (Iam
not sure about using wild characters within a param object???)
eg.

SELECT * from t1 WHERE c1 LIKE @param

Hari
Click to expand...

Even better, don't build query as a string at all and use a stored procedure
(assuming SQL Server of some flavour). The use of the parameters and stored
procedures is the recommended approach by MS to prevent risk of your app
being attacked by the SQL injection technique.

Assuming your searched column is a varchar or text datatype, in the stored
procedure, append the wildcard symbol like this:

create procedure dbo.usp_Wildcard_SELECT
@SearchValue VARCHAR(30)
AS

SELECT Col1, <Col2 , etc as required...>
FROM yourSourceTable
WHERE
Col1 LIKE @SearchValue + '%'
-- optional ordering output
ORDER BY Col1


The above example will always add the wildcard to the end of whatever string
value is passed in. This is a common approach for finding records by using
peoples surnames for example.


Al
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Excel Building Excel VBA Dynamic SQL Query- difference between Excel 2007 & 2010 0
No db location? 2
Asp.net Important Topics. 0
FWT Newsletter - Weekly - November 3, 2003 2
FWT Newsletter - Weekly - November 17, 2003 0
FWT Newsletter - Weekly - September 6, 2004 1
FWT Newsletter - Weekly - November 1, 2004 0
FWT Newsletter - Weekly - March 22, 2004 3

Top