Howto? Parameters and LIKE statement SQL

asp.net sql vb.net

I am writing a searching function, and have thought up of this query using parameters to prevent, or at least limit, SQL injection attacks. However, when I run it through my program it does not return anything:

SELECT * FROM compliance_corner WHERE (body LIKE '%@query%') OR (title LIKE '%@query%')

Can parameters be used like this? or are they only valid in an instance such as:

SELECT * FROM compliance_corner WHERE body LIKE '%<string>%' (where <string> is the search object).

EDIT: I am constructing this function with VB.NET, does that have impact on the syntax you guys have contributed?

Also, I ran this statement in SQL Server: SELECT * FROM compliance_corner WHERE (body LIKE '%max%') OR (title LIKE%max%')` and that returns results.


Well, I'd go with:

 Dim cmd as New SqlCommand(
 "SELECT * FROM compliance_corner"_
  + " WHERE (body LIKE @query )"_ 
  + " OR (title LIKE @query)")

 cmd.Parameters.Add("@query", "%" +searchString +"%")

Your visual basic code would look something like this:

Dim cmd as New SqlCommand("SELECT * FROM compliance_corner WHERE (body LIKE '%' + @query + '%') OR (title LIKE '%' + @query + '%')")

cmd.Parameters.Add("@query", searchString)

Related

"Unparseable date: 1302828677828" trying to deserialize with Gson a millisecond-format date received from server
Typescript compile to single file
Framework not found GoogleToolboxForMac
Dapper.NET and stored proc with multiple result sets
Continuing in Python's unittest when an assertion fails
Self-Terminating AWS EC2 Instance?
How to pass data to dialog of angular material 2
app.config for a class library
SQL Server String Concatenation with Null
MySQL select statement with CASE or IF ELSEIF? Not sure how to get the result
Get custom product attributes in Woocommerce
Is it still safe to delete nullptr in c++0x?