This would be a vulnerability. Any man-in-the-middle that can see…

Question

Editorial Team

Asked: May 11, 20262026-05-11T11:04:00+00:00 2026-05-11T11:04:00+00:00

I am trying to build SQL for a parameter query in C# for a

I am trying to build SQL for a parameter query in C# for a query which will contain the LIKE %% command.

Here is what I am trying to acheive (please note that the database is Firebird)

var SQL = string.format('SELECT * FROM {0} WHERE {1} LIKE '%?%'', TABLE, NAME);  cmd.Parameters.AddWithValue(NAME, 'JOHN');

Now I have tried every single permutation to get the parameter to work, I have tried;

Adding the % character to the parameter,

cmd.Parameters.AddWithValue(NAME, '%' + 'JOHN' + '%');

or

cmd.Parameters.AddWithValue(NAME, ''%' + 'JOHN' + '%'');

I cannot seem to get this to work, how can I use a parameter for the LIKE query to work.

Suggestions are welcome!

You must login to add an answer.

Need An Account,

score 0 · Answer 1 · 2026-05-11T11:04:01+00:00

You can’t have parameters inside of a string literal in the query. Make the entire value the parameter, and add the wildcards to the string:

var SQL = string.format('SELECT * FROM {0} WHERE {1} LIKE ?', TABLE, NAME); Cmd.Parameters.AddWithValue(NAME, '%' + 'JOHN' + '%');