| Subject | AW: [firebird-support] Wildcard for Firebird |
|---|---|
| Author | Alexander Gräf |
| Post date | 2005-01-21T14:45Z |
> -----Ursprüngliche Nachricht-----Maybe the user inserted a ' char. This would yield the following:
> Von: Leonardo Nakahara de Oliveira [mailto:okinawadin@...]
> Gesendet: Freitag, 21. Januar 2005 14:42
> An: firebird-support@yahoogroups.com
> Betreff: [firebird-support] Wildcard for Firebird
>
>
> Hello all,
>
> I'm developing an application on .Net using the
> FirebirdNETProvider-1.6.3-NET1.1 found on the Firebird site.
>
> So, i need to make a query like that:
>
> "select from <table> where <field> like '<something_the_user_wrote>%'"
>
SELECT FROM Table WHERE Description LIKE 'Hello'%';
This would yield the error you have described (I've checked it):
fmSQLEditor.Query:
Invalid token.
Dynamic SQL Error.
SQL error code = -104.
Token unknown - line 2, char 45.
%.
You should use parameters, and pass the users values, formated this way for example:
string ParamValue=String.Format("{1}%", SomethingTheUserWrote);
getCmd.AddParameter(ParamValue...);
_Never ever_ build SQL directly from users input, even if you are using some kind of escaping function. Simply use parameters, and let the .NET-Provider do the dirty work of filtering SQL injections out.
Cheers