Home/ Questions/Q 8980315
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T20:03:36+00:00

I am using this SQL statement to get rows: SELECT firstname, lastname FROM myTable

  • 0

I am using this SQL statement to get rows:

SELECT firstname, lastname 
FROM myTable 
WHERE ((lastname LIKE '" + parameter + "%')

parameter gets a value form a textbox. The default value of textbox is " "

My problem is I am getting all the rows when nothing is entered in the textbox. I tried to use

WHERE lastname =

This simply gives me all the records that has " "

What is the correct way of getting data that excludes blanks in the database and also does not give your any record when blank or ” ” is passed as a parameter

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    First, I hope you do some sanitizing to avoid sql injection.

    Then you can at your choice :

    • not run the query if sanitizing parameter including a trim() is empty
    • have SELECT firstname, lastname FORM myTable WHERE ((lastname LIKE '" + parameter + "%') AND ''<>'" + parameter + "'"

    the second one being a bad practice from a performance point, and it would assume you’ve given up sanitizing (very bad)

    Also you should note that, in your sanitizing process, you will have to escape or remove special characters _ and %, see
    http://msdn.microsoft.com/en-us/library/ms179859(v=sql.105).aspx

    I you do not handle this, a non empty parameter equal to % will lead to a like '%%', which is equivalent to like '%'

    • 0