I have seen in my searches the use of parameterized strings in SQL queries

Question

0

Asked: June 14, 20262026-06-14T02:55:30+00:00 2026-06-14T02:55:30+00:00

I have seen in my searches the use of parameterized strings in SQL queries

0

I have seen in my searches the use of parameterized strings in SQL queries formed as below:

SqlCommand comm = new SqlCommand();
comm.CommandText="SELECT * FROM table WHERE field LIKE '%'+@var+'%'";
comm.Parameters.AddWithValue("var","variabletext");
SqlDataReader reader = comm.ExecuteReader();

However, in this forum it was mentioned that is subject to sql injection despite it’s being used in a parameterized string. I can only assume that concatenated strings bypass all parameterized security and just insert the value directly as a string. If this is the case, how does one use the wildcard operators in a parameterized query while avoiding sql code injection?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-14T02:55:31+00:00

Editorial Team

2026-06-14T02:55:31+00:00Added an answer on June 14, 2026 at 2:55 am

This is not vulnerable to SQL Injection.

Whoever told you that is wrong. '%'+@var+'%' is treated as data not as executable code. It is evaluated as a string then used as the pattern on the right hand side of the LIKE.

You would only have an issue if you were then to EXEC the result of such a concatenation. Simply performing a string concatenation in the query itself is not a problem.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have seen in my searches the use of parameterized strings in SQL queries

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply