How to use sql parameters for a select query?

Question

I need to fetch the records based on a 'like' match against a set of records,

The below query im using is not working . Does anyone knows what's wrong with the query?

 sqlCommand.CommandText =String.Format("SELECT * FROM Customer" +
                " WHERE (Name like @Name)","'%" +searchString.Trim()+"%'");
            sqlCommand.Parameters.AddWithValue("Name", searchString);

This query isnt fetching the desired records.

I'm getting the following error while running the above snippet:

Must declare the scalar variable "@Name".

You have `AddWithValue("Name", ...` shouldn't that be `@Name`? — Aaron Bertrand, Apr 24 '12 at 03:53
You didn't include the error you were getting. Can you please include it as a part of the question? — Aaron Bertrand, Apr 24 '12 at 03:55

Aaron Bertrand · Accepted Answer · 2012-04-24T04:28:34.933

13

What happens this way?

sqlCommand.CommandText = "SELECT * FROM Customer WHERE Name LIKE @Name;";
sqlCommand.Parameters.AddWithValue("@Name", "%" + searchString + "%");

You could also code it as follows to avoid all the wildcard formatting in the first place:

sqlCommand.CommandText = "SELECT * FROM Customer WHERE CHARINDEX(@Name, Name) > 0;";
sqlCommand.Parameters.AddWithValue("@Name", searchString);

If you're going to insist on doing it the unsafe way, at the very least double-up any single quotes found in searchString, e.g.

searchString.Replace("'", "''")

edited Apr 24 '12 at 04:28

answered Apr 24 '12 at 03:42

Aaron Bertrand

272,866
37
466
490

I'm getting this error "Must declare the scalar variable "@Name"." – NewBie Apr 24 '12 at 03:46
Wouldn't the wildcards (`%`) be in the `CommandText` vs the parameter. That is: `sqlCommand.CommandText="SELECT * FROM Customer WHERE Name LIKE %@Name%"` – vpiTriumph Apr 24 '12 at 03:47
@vpiTriumph that's not the way I'd do it. Similar to a parameter to a stored procedure, in the body I'd have `WHERE col LIKE @param` - then I can pass `'foo%'`, `'%bar'` or `'%splunge%'`... – Aaron Bertrand Apr 24 '12 at 03:49

score 1 · Answer 2 · answered Apr 24 '12 at 03:45

1

String.Format needs a placeholder, like {0} {1} etc.

sqlCommand.CommandText = "SELECT * FROM Customer WHERE Name LIKE @Name;";
sqlCommand.Parameters.AddWithValue("@Name", String.Format("%{0}%", searchString));

answered Apr 24 '12 at 03:45

StuartLC

104,537
17
209
285

score -3 · Answer 3 · answered Feb 19 '18 at 02:34

If Not con.State = ConnectionState.Open Then con.Open() End If

    Try

        Dim cmd As New OleDbCommand("UPDATE med_records SET Medicine=@Medicine,Dosage=@Dosage,Format=@Format,Expiration_date=@Expiration_date,Quantity=@Quantity where M_id=@M_id", con)
        cmd.Parameters.AddWithValue("@Medicine", txtMedicine.Text)
        cmd.Parameters.AddWithValue("@Dosage", txt_Dosage.Text)
        cmd.Parameters.AddWithValue("@Format", txt_Format.Text)
        cmd.Parameters.AddWithValue("@Expiration_date", txt_Expirationdate.Text)
        cmd.Parameters.AddWithValue("@Quantity", NumericUpDown1.Text)
        cmd.Parameters.AddWithValue("@M_id", txt_M_id.Text)
        cmd.ExecuteNonQuery()
        MsgBox("Update data")
        con.Close()
    Catch ex As Exception
        MsgBox(ex.Message)

    End Try

Code-only answers are discouraged at SO because they lack context and may be not helpful for future readers. Please edit your answer to comment on your solution. — Eduard Malakhov, Feb 19 '18 at 02:37

How to use sql parameters for a select query?

3 Answers3

Linked