2

So I have this query:

var comm = @"SELECT * FROM `TABLE` ";

bool hasWhere = false;

if ( model.Serial > 0 ) {
    comm += " WHERE `SERIAL` LIKE '%" + model.Serial + "%' ";
    hasWhere = true;
}

if ( model.Id.HasValue && model.Id.Value > 0 ) {
    if ( !hasWhere ) {
        comm += " WHERE `NUIP` LIKE '%" + model.Id.Value + "%' ";
        hasWhere = true;
    } else
        comm += " AND `NUIP` LIKE '%" + model.Id.Value + "%' ";
}

if ( model.Date.HasValue ) {
    if ( !hasWhere ) {
        comm += " WHERE `DATE` = '" + model.Date.Value + "' ";
        hasWhere = true;
    } else
        comm += " AND `DATE` = '" + model.Date.Value + "' ";
}
....
....
....

I've read about parameterized queries against SQL Injection and so on. The thing is, given that I'll have a dynamic number of WHERE clauses (based on the search model),how can I parameterize the query? I can't put WHERE a = @A AND b=@B... because the user must not need to search based on all the columns.

Any idea? thanks in advance.

P.S: Can't use LINQ or something similar to that (-business rules-).

Improve this question
1
  • The business rules dictate the implementation? Those don't sound like business rules. Commented Jun 11, 2012 at 1:22

2 Answers 2

Reset to default
3

You can still use SQL parameterized query with where close (WHERE will be sort of dynamic). For example I have paramater @SerialNum that is NULL and I have a parameter @Code that equals to 455.

SELECT
     Column1
    ,Column2
FROM 
     YourTable
WHERE
    (
        @SerialNum IS NULL
        OR
        Column3 LIKE '%' + @SerialNum + '%'
    )
    AND
    (
        @Code IS NULL
        OR
        Column4 LIKE '%' + @Code + '%'
    )
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

this is the easiest way, avoiding if statements in the program code.
Personally I think this better than my way as it is all in the SQL engine! But can you update the code for MYSQL?
@fenix2222 Brilliant! Absolutely brilliant. Thanks!
1

I use this trick.

....
WHERE 1 = 1 
AND a = a 
AND b= @b 
AND c = c 
... etc....

ie I compare the column to it self if I don't want to search

var comm = @"SELECT * FROM `TABLE` WHERE 1 = 1 ";  

if ( model.Serial > 0 ) {  
    comm += " AND  `SERIAL` LIKE '%" + model.Serial + "%' ";  
}  else  {
      comm += " AND  `SERIAL` = `SERIAL`";
}


if ( model.Id.HasValue && model.Id.Value > 0 ) {    
    comm += " AND  `AND` LIKE '%" + model.Id.Value + "%' ";    
}  else  {
       comm += " AND `NUIP` = `NUIP` ";    
}   
....

WHERE 1 = 1 is optimised away and removes the need to remember if a WHERE is defined yet or not, and all the searches are either optimised away (AND a=a) or have search applied (AND a = xxx).

You just add a single if for each search!

Also I'd use a StringBuilder to clean up the string handling.

Improve this answer

1 Comment

+1 for the removal of that where! any idea about the question indeed (the parameterized version of it). Thanks

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.