Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Parameterizing a full text query in sql server

Tags:

sql-server

contains

full-text-search

freetext

I have a problem using the sql server full text feature. I'm converting some forum software to use the full text search and I have everything setup and working. My problems are related to full text queries. I have designed a few queries which run as desired when I test them in sql server management studio using the CONTAINS predicate to locate my search results eg:

Select ....
From ..... 
WHERE Contains(p.Message,'" dog food "' ) ......

So this runs fine but how can I parameterize this in a prepared statement? Ideally I would like to be able to run a query with a where clause like:

Select ....
From ..... 
WHERE Contains(p.Message,'" @SearchTerm "' ) ...

or even 

WHERE Contains(p.Message,'"@SearchTerm" Near "@OtherSearchTerm" ) ...

But this approach doesn't work because of the double quotes and all. I could build the search term up dynamically in the code but I really need to be using parameters for all user input for security reasons. I have looked at a zillion google results trying to find a solution but can't(Surely this must happen everyone or am I missing something really obvious here and/or it's not possible ). Any Ideas?

like image 742
Ronoc Avatar asked Apr 26 '11 19:04

Ronoc

People also ask

What types of queries can be parameterized using simple parameterization?

SQL Server places the following restrictions on what types of queries can be parameterized using Simple Parameterization: If you want SQL Server to parameterize your SQL statements you have three options: stored procedures, sp_executesql or Forced Parameterization. Stored procedures always have a query plan created and reused.

How do you write a full text query in SQL Server?

Write full-text queries by using the predicates CONTAINS and FREETEXT and the rowset-valued functions CONTAINSTABLE and FREETEXTTABLE with a SELECT statement. This article provides examples of each predicate and function and helps you choose the best one to use.

How do I parameterize my SQL statements?

If you want SQL Server to parameterize your SQL statements you have three options: stored procedures, sp_executesql or Forced Parameterization. Stored procedures always have a query plan created and reused. (Technically they don't always have one but it's close enough for this article. And they don't always reuse it.

What is full text search in SQL Server?

Full-text search refers to the functionality in SQL Server that supports full-text queries against character-based data. These types of queries can include words and phrases as well as multiple forms of a word or phrase. To support full-text queries, full-text indexes must be implemented on the columns referenced in the query.

1 Answers

Create a stored procedure with parameters, like:

CREATE PROCEDURE [sp_FullTextSearch] 
    @SearchTerm nvarchar(500)
AS
BEGIN
    Select ....
    From ..... 
    WHERE Contains(p.Message, @SearchTerm)
END

Then call it from your code.

HOW TO: Call SQL Server Stored Procedures in ASP.NET by Using Visual C# .NET

like image 96
bg.dev Avatar answered Oct 12 '22 03:10

bg.dev
Sign in to Comment

Related questions

Stored procedures and functions
How can I get SqlBulkCopy to tell me which column had the truncation error
Creating a SQL Server user with permission to read one view and nothing else - but he can see system views and procedures?
how to handle db schema updates when using schemabinding and updating often
SQLFileStream exception "The network path was not found"
SQL & ColdFusion Encryption
Table with Select Statements, Executing Dynamic SQL and Returning Values
What is the difference between composite non clustered index and covering index
MySQL REGEXP to SQL Server
Table Valued Parameter has slow performance because of table scan
executing a test in sql server 2005
T-SQL MERGE - finding out which action it took
SQL Server - use Exists clause in Where and Select
"The breakpoint will not currently be hit..." error when trying to debug a TSQL stored proc called by .NET code
Is replacing conditional logic with CASE statements efficient in Transact-SQL?
Best way to save drag and drop layout
Is checking for primary key value before insert faster than using try-catch?
What is the best way to compare 2 variants of a SQL query for performance?
Insert row in DB while using multithreads?
SQL Server selecting a string from table using in clause

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!