Subject AW: [firebird-support] Wildcard for Firebird
Author Alexander Gräf
> -----Urspr√ľngliche Nachricht-----
> Von: Leonardo Nakahara de Oliveira [mailto:okinawadin@...]
> Gesendet: Freitag, 21. Januar 2005 14:42
> An:
> Betreff: [firebird-support] Wildcard for Firebird
> Hello all,
> I'm developing an application on .Net using the
> FirebirdNETProvider-1.6.3-NET1.1 found on the Firebird site.
> So, i need to make a query like that:
> "select from <table> where <field> like '<something_the_user_wrote>%'"

Maybe the user inserted a ' char. This would yield the following:

SELECT FROM Table WHERE Description LIKE 'Hello'%';

This would yield the error you have described (I've checked it):

Invalid token.
Dynamic SQL Error.
SQL error code = -104.
Token unknown - line 2, char 45.

You should use parameters, and pass the users values, formated this way for example:

string ParamValue=String.Format("{1}%", SomethingTheUserWrote);

_Never ever_ build SQL directly from users input, even if you are using some kind of escaping function. Simply use parameters, and let the .NET-Provider do the dirty work of filtering SQL injections out.