c# - How to use sql parameters for a select query?

Question

Welcome To Ask or Share your Answers For Others

c# - How to use sql parameters for a select query?

asked Oct 24, 2021 in Technique[技术] by 深蓝 (71.8m points)

c# - How to use sql parameters for a select query?

I need to fetch the records based on a 'like' match against a set of records,

The below query im using is not working . Does anyone knows what's wrong with the query?

 sqlCommand.CommandText =String.Format("SELECT * FROM Customer" +
                " WHERE (Name like @Name)","'%" +searchString.Trim()+"%'");
            sqlCommand.Parameters.AddWithValue("Name", searchString);

This query isnt fetching the desired records.

I'm getting the following error while running the above snippet:

Must declare the scalar variable "@Name".

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙；凝视深渊过久,深渊将回以凝视…

1 Answer

深蓝 · Answer 1 · 2021-10-23T21:43:07+0000

What happens this way?

sqlCommand.CommandText = "SELECT * FROM Customer WHERE Name LIKE @Name;";
sqlCommand.Parameters.AddWithValue("@Name", "%" + searchString + "%");

You could also code it as follows to avoid all the wildcard formatting in the first place:

sqlCommand.CommandText = "SELECT * FROM Customer WHERE CHARINDEX(@Name, Name) > 0;";
sqlCommand.Parameters.AddWithValue("@Name", searchString);

If you're going to insist on doing it the unsafe way, at the very least double-up any single quotes found in searchString, e.g.

searchString.Replace("'", "''")

Categories

c# - How to use sql parameters for a select query?

c# - How to use sql parameters for a select query?

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags