如何在带有参数的SQL查询中使用通配符

Say I have a basic query, something like this:

假设我有一个基本查询，如下所示：

 SELECT holiday_name
 FROM holiday
 WHERE holiday_name LIKE %Hallow%

This executes fine in my sql query pane and returns 'Halloween'. My problem occurs when I try to use parameters with with the wildcard '%' characters in my code.

这在我的SQL查询窗格中执行正常并返回'Halloween'。当我尝试在我的代码中使用带有通配符'％'字符的参数时，会出现问题。

SqlConnection Connection = null;
SqlCommand Command = null;

string ConnectionString = ConfigurationManager.ConnectionStrings["SQLdb"].ConnectionString;
string CommandText = "SELECT holiday_name "
                   + "FROM holiday "
                   + "WHERE holiday_name LIKE %@name%";
Connection = new SqlConnection(ConnectionString);

try
{
      Connection.Open();
      Command = new SqlCommand(CommandText, Connection);
      Command.Parameters.Add(new SqlParameter("name", HolidayTextBox.Text));
      var results = Command.ExecuteScalar();
}

catch (Exception ex)
{   
     //error stuff here       
}

finally
{
    Command.Dispose();
    Connection.Close();
}

This throws an incorrect syntax error. I've tried moving the '%' to my parameter like so

这会引发错误的语法错误。我已经尝试将'％'移动到我的参数中

Command.Parameters.Add(new SqlParameter("%name%", HolidayTextBox.Text));

but then I receive an error saying I haven't declared the scalar variable '@name'. So, how do you properly format wildcard characters to be included with query parameters? Any help is appreciated!

但后来我收到一个错误，说我没有声明标量变量'@name'。那么，如何正确格式化通配符以包含在查询参数中？任何帮助表示赞赏！

3 个解决方案

#1

First off, your SqlParameter name is @name not name.

首先，您的SqlParameter名称是@name而不是名称。

Second, I would move your wildcards.

其次，我会移动你的通配符。

So it would look like this:

所以它看起来像这样：

string CommandText = "SELECT holiday_name "
               + "FROM holiday "
               + "WHERE holiday_name LIKE @name;"
Connection = new SqlConnection(ConnectionString);

try
{
  var escapedForLike = HolidatyTextBox.Text; // see note below how to construct 
  string searchTerm = string.Format("%{0}%", escapedForLike);
  Connection.Open();
  Command = new SqlCommand(CommandText, Connection);
  Command.Parameters.Add(new SqlParameter("@name", searchTerm));
  var results = Command.ExecuteScalar();
}

Note that LIKE requires special care when passing parameters and you need to escape some characters Escaping special characters in a SQL LIKE statement using sql parameters.

请注意，LIKE在传递参数时需要特别小心，您需要转义一些字符使用sql参数在SQL LIKE语句中转义特殊字符。

#2

whatever you do don't do this:

无论你做什么都不这样做：

string CommandText = "SELECT holiday_name "
                   + "FROM holiday "
                   + "WHERE holiday_name LIKE '%'" + HolidayTextBox.Text + "'%'";

as that will open you up to sql injection, instead do this:

因为这将打开你的SQL注入，而不是这样做：

Command.Parameters.Add(new SqlParameter("@name", "%" + HolidayTextBox.Text + "%"));

you may like to know about Command.Parameters.AddWithValue, e.g:

您可能想了解Command.Parameters.AddWithValue，例如：

Command.Parameters.AddWithValue("@name", "%" + HolidayTextBox.Text + "%");

#3

The %s should be part of the search string, not the query.

％s应该是搜索字符串的一部分，而不是查询。

string CommandText = "SELECT holiday_name "
                + "FROM holiday "
                + "WHERE holiday_name LIKE @name";
Connection = new SqlConnection(ConnectionString);

try
{
    Connection.Open();
    Command = new SqlCommand(CommandText, Connection);
    string name = "%" + HolidayTextBox.Text + "%";
    Command.Parameters.Add(new SqlParameter("@name", name));

#1