How do i write a sql query with user input and wildcards
Question
Usually i write my where statements as WHERE key=@0 then add a param. Now i would like the user to specific a few letters such as 'oat' and would like to stick wildcards around it %oat% which matches 'coating'. So how do i write the query so wildcards are around the user input (the 'seachword').
Now lets take it a step further. I would not like the user to write % so he cannot do blah%ing. Perhaps % is part of the sentence (or it could be flat out illegal but i prefer it be part of the sentence). How do i put my wildcards around a word or sentence and disallow the user from putting the wildcard between his words? (and preferably make % part of the sentence)
C# ado.net sql/sqlite
3 answers
solution1
3 2010-03-22 23:11:31
If you use prepared statements (ie SQLiteCommand, a subclass of DbCommand ), this will be taken care of for you. Eg:
using (SqlCommand myCommand = new SQLiteCommand("SELECT * FROM TABLE WHERE (COLUMN LIKE = '%' + @input + '%')"))
{
myCommand.Parameters.AddWithValue("@input", input);
// ...
}
See also this similar previous question .
solution2
1 2010-03-22 23:00:30
Continue using a param, but add the wildcard in the param prior to binding.
C#:
param = '%' + Regex.Replace(param, @"[%?]", String.Empty) + '%'
SQL:
select * from ... where key like :param
solution3
1 ACCPTED 2010-03-22 23:07:23
RE: How do i put my wildcards around a word or sentence and disallow the user from putting the wildcard between his words? (and preferably make % part of the sentence)
I think you would need to Replace any % the user supplies with \\% and use
LIKE @Expression ESCAPE '\'
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.