Subject AW: [firebird-support] Wildcard for Firebird
Author Alexander Gräf
> -----Urspr√ľngliche Nachricht-----
> Von: Leonardo Nakahara de Oliveira [mailto:okinawadin@...]
> Gesendet: Freitag, 21. Januar 2005 14:42
> An: firebird-support@yahoogroups.com
> Betreff: [firebird-support] Wildcard for Firebird
>
>
> Hello all,
>
> I'm developing an application on .Net using the
> FirebirdNETProvider-1.6.3-NET1.1 found on the Firebird site.
>
> So, i need to make a query like that:
>
> "select from <table> where <field> like '<something_the_user_wrote>%'"
>

Maybe the user inserted a ' char. This would yield the following:

SELECT FROM Table WHERE Description LIKE 'Hello'%';

This would yield the error you have described (I've checked it):

fmSQLEditor.Query:
Invalid token.
Dynamic SQL Error.
SQL error code = -104.
Token unknown - line 2, char 45.
%.


You should use parameters, and pass the users values, formated this way for example:

string ParamValue=String.Format("{1}%", SomethingTheUserWrote);
getCmd.AddParameter(ParamValue...);

_Never ever_ build SQL directly from users input, even if you are using some kind of escaping function. Simply use parameters, and let the .NET-Provider do the dirty work of filtering SQL injections out.

Cheers