CODEWITHSUNDEEP
c#sql-server
NewBie
NewBie

Reputation: 1844

How to use sql parameters for a select query?

I need to fetch the records based on a 'like' match against a set of records,

The below query im using is not working . Does anyone knows what's wrong with the query?

 sqlCommand.CommandText =String.Format("SELECT * FROM Customer" +
                " WHERE (Name like @Name)","'%" +searchString.Trim()+"%'");
            sqlCommand.Parameters.AddWithValue("Name", searchString);

This query isnt fetching the desired records.

I'm getting the following error while running the above snippet:

Must declare the scalar variable "@Name".

Upvotes: 6

Views: 43034

Answers (3)

cmkrushchev
cmkrushchev

Reputation: 1

If Not con.State = ConnectionState.Open Then con.Open() End If

    Try

        Dim cmd As New OleDbCommand("UPDATE med_records SET Medicine=@Medicine,Dosage=@Dosage,Format=@Format,Expiration_date=@Expiration_date,Quantity=@Quantity where M_id=@M_id", con)
        cmd.Parameters.AddWithValue("@Medicine", txtMedicine.Text)
        cmd.Parameters.AddWithValue("@Dosage", txt_Dosage.Text)
        cmd.Parameters.AddWithValue("@Format", txt_Format.Text)
        cmd.Parameters.AddWithValue("@Expiration_date", txt_Expirationdate.Text)
        cmd.Parameters.AddWithValue("@Quantity", NumericUpDown1.Text)
        cmd.Parameters.AddWithValue("@M_id", txt_M_id.Text)
        cmd.ExecuteNonQuery()
        MsgBox("Update data")
        con.Close()
    Catch ex As Exception
        MsgBox(ex.Message)

    End Try

Upvotes: -3

anon
anon

Reputation:

What happens this way?

sqlCommand.CommandText = "SELECT * FROM Customer WHERE Name LIKE @Name;";
sqlCommand.Parameters.AddWithValue("@Name", "%" + searchString + "%");

You could also code it as follows to avoid all the wildcard formatting in the first place:

sqlCommand.CommandText = "SELECT * FROM Customer WHERE CHARINDEX(@Name, Name) > 0;";
sqlCommand.Parameters.AddWithValue("@Name", searchString);

If you're going to insist on doing it the unsafe way, at the very least double-up any single quotes found in searchString, e.g.

searchString.Replace("'", "''")

Upvotes: 14

StuartLC
StuartLC

Reputation: 107247

String.Format needs a placeholder, like {0} {1} etc.

sqlCommand.CommandText = "SELECT * FROM Customer WHERE Name LIKE @Name;";
sqlCommand.Parameters.AddWithValue("@Name", String.Format("%{0}%", searchString));

Upvotes: 1

Related Questions