advance search - url encoding

Question

I have very odd problem and I don't know how to get rid of this.

I have one advance search for my project, its basically school search

acc my problem is I am using LIKE to compare the option and at the end of the search my query should be like this below:

select *
from tbl_schooldetails
where
  state = 'Gujarat'
  and city = 'Ahmedabad'
  and area = 'Navrangpura'
  and ( board = 'xx' or board LIKE '%CBSE Board%' or board LIKE '%Gujarat Board%')

but instead I get this below query:

select *
from tbl_schooldetails
where
  state = 'Gujarat'
  and city = 'Ahmedabad'
  and area = 'Navrangpura'
  and ( board = 'xx' or board LIKE '�SE Board%' or board LIKE '%Gujarat Board%')

If you noticed my %CB is converted into " � " sign and so i am not able to search any result related to "CBSE Board" option.

Can anyone tell me how to get rid of this URL encoding?

this is my code from where this query is generated:

  string qry = "select * from tbl_schooldetails where state = '" + sdpd4.SelectedItem.Text + "'";

    if (sdpd2.SelectedItem.Text != "Select City")
    {
        qry += " and city = '" + sdpd2.SelectedItem.Text + "'";
    }

    if (sdpd1.SelectedItem.Text != "Select Area")
    {
        qry += " and area = '" + sdpd1.SelectedItem.Text + "'";
    }

    if (CheckBoxList3.SelectedItem != null)
    {
        qry = qry + " and ( board = 'xx'";

          for (int i = CheckBoxList3.Items.Count - 1; i >= 0; i--)
          {
              if (CheckBoxList3.Items[i].Selected == true)
              {

                  string mt = CheckBoxList3.Items[i].ToString();
                  qry = qry + " or board LIKE '" + '%' + mt + '%' + "'";

              }
          }
            qry = qry + ")";
    }


    if (RadioButtonList1.SelectedItem != null)
    {
        qry += " and gender ='" + RadioButtonList1.SelectedItem.Text + "'";
    }



    Response.Redirect("schoolsearchresult2.aspx?search=" + qry);

Answer 1

Edited now that the original question is clearer.

Just change this:

Response.Redirect("schoolsearchresult2.aspx?search=" + qry);

To this:

Response.Redirect("schoolsearchresult2.aspx?search=" 
    + HttpServerUtility.UrlEncode(qry));

...but: my warning (and everybody else's) remains correct: passing a WHERE clause in your query string is very dangerous--trivial tweaking of the resulting URL can destroy your database.

Original answer

You seem to be putting %CB into a URL, which is interpreted on the server as a hex digit.

If you use %25CB it should be interpreted as "%CB".

Alternatively you could use one of the built-in c# functions. I think the one you need is HttpServerUtility.UrlEncode.

VERY IMPORTANT:

If this is a real application, not a proof-of-concept project, you must not copy data directly from the URL into your SQL string!