11

I can get the result I expect by entering this in LINQPad:

SELECT * FROM WorkTable WHERE WTName LIKE "DSD__20090410014953000%"

(it shows me the record which has a WTName value of DSD__20090410014953000.xml")

But trying to do this programmatically is proving trying. I tried:

const string qry = "SELECT SiteNum FROM WorkTable WHERE WTName LIKE @wtName%";
using (SQLiteConnection con = new SQLiteConnection(HHSUtils.GetDBConnection()))
{
    con.Open();
    SQLiteCommand cmd = new SQLiteCommand(qry, con);
    cmd.Parameters.Add(new SQLiteParameter("wtName", tableName));
    siteNum = Convert.ToInt32(cmd.ExecuteScalar());
}

...but it causes the app to crash, and my log file tells me why:

Message: From application-wide exception handler: System.Data.SQLite.SQLiteException: SQL logic error or missing database
near "%": syntax error

So maybe it thinks the query parameter is named "wtName%" instead of "wtName"; but separating the parameter and the "whatever" opertor ("%") with a space doesn't work, either.

I could go retro/kludgy by just embedding the query parameter into the string like so:

const string qry = String.Format("SELECT SiteNum FROM WorkTable WHERE WTName LIKE {0}%", tableName);

...and doing without the query parameter altogether, but I'm afraid if I did that Troy Hunt would show up at my house and flail me with a bedrail while railing about SQL Injection.

How can I get my data and simultaneously write safe code?

Improve this question

3 Answers 3

Reset to default
18
+50

The wildcard % should be added to the parameter value, not to the parameter name

const string qry = "SELECT SiteNum FROM WorkTable WHERE WTName LIKE @wtName";
using (SQLiteConnection con = new SQLiteConnection(HHSUtils.GetDBConnection()))
{
    con.Open();
    SQLiteCommand cmd = new SQLiteCommand(qry, con);
    cmd.Parameters.Add(new SQLiteParameter("@wtName", tableName + "%"));
    siteNum = Convert.ToInt32(cmd.ExecuteScalar());
}

And, I am not sure if it matters here, but, usually, I insert the parameter name with the exact name used in the placeholder ( @wtName )

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

9

Easiest way to do this is to use '||'

Use : 

const string qry = "SELECT SiteNum FROM WorkTable WHERE WTName LIKE @wtName || '%' ";

Instead Of: 

const string qry = "SELECT SiteNum FROM WorkTable WHERE WTName LIKE @wtName%";
Improve this answer

1 Comment

Why do one and not the other?
-2

Try defining query like this:

const string qry = "SELECT SiteNum FROM WorkTable WHERE WTName LIKE @wtName + '%'";
Improve this answer

3 Comments

Didn't try on SQLite but it works on SQL Server for sure. I copied it from existing project.
The concatenation operator for strings in SQLite is || so you should write @wtName || '%' Still I believe that this is too error prone and not portable
@Dragon your answer is valid for SQL Server but not for SQLite , As I have answred in SQLite you must use '||' instead of '+'

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.