Subject Re: AW: [firebird-support] Wildcard for Firebird
Author Leonardo Nakahara de Oliveira
This might be a great solution.

Just let me know something ... The variable getCmd if of what type?

Thanks

Alexander Gräf wrote:

>
>
>>-----Urspr√ľngliche Nachricht-----
>>Von: Leonardo Nakahara de Oliveira [mailto:okinawadin@...]
>>Gesendet: Freitag, 21. Januar 2005 14:42
>>An: firebird-support@yahoogroups.com
>>Betreff: [firebird-support] Wildcard for Firebird
>>
>>
>>Hello all,
>>
>>I'm developing an application on .Net using the
>>FirebirdNETProvider-1.6.3-NET1.1 found on the Firebird site.
>>
>>So, i need to make a query like that:
>>
>>"select from <table> where <field> like '<something_the_user_wrote>%'"
>>
>>
>>
>
>Maybe the user inserted a ' char. This would yield the following:
>
>SELECT FROM Table WHERE Description LIKE 'Hello'%';
>
>This would yield the error you have described (I've checked it):
>
>fmSQLEditor.Query:
>Invalid token.
>Dynamic SQL Error.
>SQL error code = -104.
>Token unknown - line 2, char 45.
>%.
>
>
>You should use parameters, and pass the users values, formated this way for example:
>
>string ParamValue=String.Format("{1}%", SomethingTheUserWrote);
>getCmd.AddParameter(ParamValue...);
>
>_Never ever_ build SQL directly from users input, even if you are using some kind of escaping function. Simply use parameters, and let the .NET-Provider do the dirty work of filtering SQL injections out.
>
>Cheers
>
>
>
>Yahoo! Groups Links
>
>
>
>
>
>
>
>
>
>