Using 'Like' operator in parameterized queries

The main advantage of parameterized query is to protect the database from SQL Injection. Today I used this concept in my one of the project. Do you know using ‘Like’ operator in parameterized query is bit different?

First, let’s look at sample project to explore this.

My ASPX Page:

<asp:GridView ID="GridView2" runat="server" AutoGenerateColumns="False" DataKeyNames="id" DataSourceID="SqlDataSource1" EmptyDataText="No data to display.">
    <Columns>
        <asp:BoundField DataField="id" HeaderText="ID" SortExpression="id" />
        <asp:BoundField DataField="name" HeaderText="Name" SortExpression="name" />
        <asp:BoundField DataField="mobile" HeaderText="Mobile" SortExpression="mobile" />
        <asp:BoundField DataField="address" HeaderText="Address" SortExpression="address" />
    </Columns>
</asp:GridView>
<asp:SqlDataSource ID="SqlDataSource2" runat="server"
    ConnectionString="<%$ ConnectionStrings:ASPNETDBConnectionString1 %>"
    ProviderName="<%$ ConnectionStrings:ASPNETDBConnectionString1.ProviderName %>"
    SelectCommand="??">
    <SelectParameters>
        <asp:Parameter Name="canName"/>
    </SelectParameters>
</asp:SqlDataSource>

Code-Behind Page:

    protected void btnSearch_Click(object sender, EventArgs e)
    {
        string name = txtStudentNameToSearch.Text;
        SqlDataSource1.SelectParameters["canName"].DefaultValue = name;
    }

So, what query you will write for above SelectCommand?

"SELECT * FROM [TableName] WHERE name LIKE '%@canName%'"

OR

"SELECT * FROM [TableName] WHERE name LIKE '%'+ @canName + '%'"

At very first try, you will use first one but this will not work for you, you need to use second one.

Comments

Post a Comment

Popular posts from this blog

Migrating database from ASP.NET Identity to ASP.NET Core Identity

Image
As you know ASP.NET Core Identity (table structure) is different from what we had earlier in ASP.NET Identity. Actually the identity system which we have today with .NET Core is very mature and continuously evolved be it ASP.NET Membership, ASP.NET Identity 1, ASP.NET Identity 2 and now ASP.NET Core Identity. Recently I had to migrate few application to ASP.NET Core and similar its identity database. Because the table schema is changed, i had to re-think and create migration script which I would like to share with you today. It is very simple and easy, just three step and I had everything ready: STEP 1 : Change name of existing tables STEP 2 : Create ASP.NET Core Identity tables STEP 3 : Migrate data from old tables (ASP.NET Identity) to new tables (ASP.NET Core Identity) Script:  https://gist.github.com/itorian/c699e8534b392a6c726ec66c48100072 You should also watch my video, where I demoed migration.
Read More »

Customize User's Profile in ASP.NET Identity System

Image
Note: You should read this post instead, I found below walkthrough will not work on ASP.NET Identity 2. I will re-work on this post soon. In this post you will learn how to customize User’s Profile and add some more fields like FirstName, LastName, EmailID etc with ASP.NET Identity System. In my last post I listed some of the great new features introduced with Identity system .
Read More »