Wild Card % Giving an Error in a SQL Query

Question

This Oracle SQL query written in c# is giving me the following error : invalid character

qur = " select * from emp where name LIKE '%" + TextBox1.Text + "%'";

How can I solve this?

please do parameterized the query. what if i set the value of my textbox with `'; DROP emp; --` — John Woo, Mar 27 '13 at 13:05
The problem doesn't seem to be on `%` character. What does `TextBox1.Text` contain? — Claudio Redi, Mar 27 '13 at 13:07

score 4 · Answer 1 · edited May 23 '17 at 11:49

4

The problem is your query is very open to Sql Injection attacks. Since you are not using parametrized queries anything entered in TextBox1 can crush your query.

for example if I enter : ' char in Textbox your query will be select * from emp where name LIKE '%'%' and it will throw error. And apart from that it is vulnerability and you should not use such queries.

You can change query to :

SqlCommand cmd= new SqlCommand( " select * from emp where name LIKE @myParam");
cmd.Parameters.AddWithValue("@myParam", "%" + TextBox1.Text + "%");

you missed @

How do parameterized queries help against SQL injection?

C# constructing parameter query SQL - LIKE %

edited May 23 '17 at 11:49

Community

1
1

answered Mar 27 '13 at 13:07

adt

4,271
5
32
51

Thank You so much for the info. – Shanna Mar 27 '13 at 13:25
1

@SandraDsouza you are welcome. Just be careful about Sql Injection attacks. It is a very serious problem. – adt Mar 27 '13 at 13:27

score -2 · Answer 2 · answered Mar 27 '13 at 13:12

-2

you should use it as below:

qur = " select * from emp where name LIKE '%'" + TextBox1.Text + "'%'";

answered Mar 27 '13 at 13:12

Code Rider

1,939
4
31
50

Wild Card % Giving an Error in a SQL Query

2 Answers2