Home/ Questions/Q 58175
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-10T17:48:24+00:00

Taking over some code from my predecessor and I found a query that uses

  • 0

Taking over some code from my predecessor and I found a query that uses the Like operator:

SELECT * FROM suppliers WHERE supplier_name like '%'+name+%';

Trying to avoid SQL Injection problem and parameterize this but I am not quite sure how this would be accomplished. Any suggestions ?

note, I need a solution for classic ADO.NET – I don’t really have the go-ahead to switch this code over to something like LINQ.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. try this: 

    var query = 'select * from foo where name like @searchterm'; using (var command = new SqlCommand(query, connection)) {   command.Parameters.AddWithValue('@searchterm', String.Format('%{0}%', searchTerm));   var result = command.ExecuteReader(); }

    the framework will automatically deal with the quoting issues.

    • 0