Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can I use the Like Operator with a Parameter in a SQLite query?

Tags:

c#

sqlite

sql-injection

sql-like

query-parameters

I can get the result I expect by entering this in LINQPad:

SELECT * FROM WorkTable WHERE WTName LIKE "DSD__20090410014953000%"

(it shows me the record which has a WTName value of DSD__20090410014953000.xml")

But trying to do this programmatically is proving trying. I tried:

const string qry = "SELECT SiteNum FROM WorkTable WHERE WTName LIKE @wtName%";
using (SQLiteConnection con = new SQLiteConnection(HHSUtils.GetDBConnection()))
{
    con.Open();
    SQLiteCommand cmd = new SQLiteCommand(qry, con);
    cmd.Parameters.Add(new SQLiteParameter("wtName", tableName));
    siteNum = Convert.ToInt32(cmd.ExecuteScalar());
}

...but it causes the app to crash, and my log file tells me why:

Message: From application-wide exception handler: System.Data.SQLite.SQLiteException: SQL logic error or missing database
near "%": syntax error

So maybe it thinks the query parameter is named "wtName%" instead of "wtName"; but separating the parameter and the "whatever" opertor ("%") with a space doesn't work, either.

I could go retro/kludgy by just embedding the query parameter into the string like so:

const string qry = String.Format("SELECT SiteNum FROM WorkTable WHERE WTName LIKE {0}%", tableName);

...and doing without the query parameter altogether, but I'm afraid if I did that Troy Hunt would show up at my house and flail me with a bedrail while railing about SQL Injection.

How can I get my data and simultaneously write safe code?

like image 503
B. Clay Shannon-B. Crow Raven Avatar asked Jan 22 '15 22:01

B. Clay Shannon-B. Crow Raven

2 Answers

The wildcard % should be added to the parameter value, not to the parameter name

const string qry = "SELECT SiteNum FROM WorkTable WHERE WTName LIKE @wtName";
using (SQLiteConnection con = new SQLiteConnection(HHSUtils.GetDBConnection()))
{
    con.Open();
    SQLiteCommand cmd = new SQLiteCommand(qry, con);
    cmd.Parameters.Add(new SQLiteParameter("@wtName", tableName + "%"));
    siteNum = Convert.ToInt32(cmd.ExecuteScalar());
}

And, I am not sure if it matters here, but, usually, I insert the parameter name with the exact name used in the placeholder ( @wtName )

like image 144
Steve Avatar answered Oct 05 '22 18:10

Steve

Easiest way to do this is to use '||'

Use : 

const string qry = "SELECT SiteNum FROM WorkTable WHERE WTName LIKE @wtName || '%' ";

Instead Of: 

const string qry = "SELECT SiteNum FROM WorkTable WHERE WTName LIKE @wtName%";
like image 39
Kas Avatar answered Oct 05 '22 19:10

Kas
Sign in to Comment

Related questions

HTML agility pack get all divs with class
what is "Loading symbols" and why does it take so long the first time?
SQLite.NET - System.NotSupportedException: Cannot compile: Parameter
How to indicate to R# that a function checks a variable for null
Windows Phone 8 Scroll content of textbox
Assigning value to session, giving object reference not set to an instance of an object exception in MVC
What is the unit for the value for the aspnet:MaxJsonDeserializerMembers property in appSettings?
WPF DatePicker format
CreateInstanceAndUnwrap in Another Domain?
Configuring JsonNetSerializer and JsonNetBodyDeserializer using Nancy TinyIoC
Post Build Event Exited with Code 1
Lambda overload for Skip/Take Missing
How to add an additional css class from code behind using ASP.NET?
Is there any advantage in disallowing interface implementation for existing classes?
EF6 DbSet<T> returns null in Moq
How to create "trigger" in MongoDB
Entity vs Aggregate vs Aggregate Root
What is the meaning of -2 in this IL instruction?
What do DoEvents()'s in C# actually do?
Add new XElements with new line in XDocument with PreserveWhitespace LoadOptions

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!