Adding parameters with sqlcommand.parameters.addwithvalue

Question

I am not able to get any response from the following code:

using (SqlCommand cmd = new SqlCommand(@"SELECT * FROM users WHERE @parameter LIKE @value", con))
{
    cmd.Parameters.AddWithValue("parameter", parameter);
    cmd.Parameters.AddWithValue("value", value);

    SqlDataReader result = cmd.ExecuteReader();

    return result.HasRows;
}

Getting false every time.

Anyone knows why?

Answer 1

This is incorrect syntax in SQL

SELECT * FROM users WHERE @parameter LIKE @value

should be something like

SELECT * FROM users WHERE parameter = @parameter LIKE @value

and to add the LIKE parameter do this

cmd.Parameters.AddWithValue("@value","%" + value + "%");

Answer 2

cmd.Parameters.AddWithValue("parameter", parameter);

SqlCommand will infer that parameter is a string and so will quote it resulting in:

SELECT * FROM users WHERE 'xxx' LIKE 'yyy'

Which is going to be false.

Add the field name via (sanitized) string.format/concatenation.