System.data.sqlclient.sqlexception: 'incorrect syntax near the keyword 'like'.'

Question

1.00/5 (2 votes)

See more:

SQL SERVER
cn.Open()
cm = New SqlCommand("SELECT * FROM tblProduct AS p INNER JOIN tblGeneric AS g ON p.ProductGeneric = GenericID INNER JOIN tblBrand AS b ON p.ProductBrand = BrandID INNER JOIN tblFromulation AS f ON p.ProductFromulation = FromulationID INNER JOIN tblClassification AS c ON p.ProductClassification = ClassificationID INNER JOIN tblType AS t ON p.ProductType = TypeID where ProductQuantity > 0 and " & cboFilter.Text & " like '" & txtSearch.Text & "'", cn)
dr = cm.ExecuteReader

What I have tried:

SELECT * FROM tblProduct AS p INNER JOIN tblGeneric AS g ON p.ProductGeneric = GenericID INNER JOIN tblBrand AS b ON p.ProductBrand = BrandID INNER JOIN tblFromulation AS f ON p.ProductFromulation = FromulationID INNER JOIN tblClassification AS c ON p.ProductClassification = ClassificationID INNER JOIN tblType AS t ON p.ProductType = TypeID where ProductQuantity > 0 and " & cboFilter.Text & " like '" & txtSearch.Text & "'

Posted 13-Jul-24 17:29pm

Raedr

Updated 15-Jul-24 19:17pm

Rick York

v2

Add a Solution

Comments

PIEBALDconsult 13-Jul-24 23:43pm

Do not use string concatenation to form SQL statements!

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Answer 1 · 2024-07-13T18:21:00

You have two problems here: the first is that as PIEBALDconsult has said, you should never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:

SQL

SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'

The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:

SQL

SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'

Which SQL sees as three separate commands:

SQL

SELECT * FROM MyTable WHERE StreetAddress = 'x';

A perfectly valid SELECT

SQL

DROP TABLE MyTable;

A perfectly valid "delete the table" command

SQL

--'

And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?

The second is that you can't parameterize the column name: the SQL preprocessor does optimisations before the parameter replacement so a query like this will return no records:

SQL

DECLARE @C NVARCHAR(MAX)
Set @C = 'Title'
SELECT * FROM VIDEOS WHERE @C LIKE '%My Movie%'

That means that to be safe you have to use CASE WHEN to select only valid column names and build the SQL query that way. Concatenating the column name and "making absolutely sure that the user can't type anything into it" is risky as some future change could replace the combo box with a textbox and put your whole DB at risk.

But very, very definitely parameterize the search string! That'll probably get rid of your problem at the same time.

Choose to search for the product using combobox

The way I;'d do it to vbe safe is to have two columns in you combobox: a visible column that describes the table to search, and a hidden column which contained a search string specific to that table:
"Computer Monitors" and "Keyboards" would be the visible rows, and the hidden column would contain "SELECT * FROM PRODUCTS WHERE Monitors LIKE '%@SEARCH%'" and "SELECT * FROM PRODUCTS WHERE Keyboards LIKE '%@SEARCH%'"
That way, the user can't enter a value for the columns name which could allow SQL Injection.

You set the BoundColumn property of the ComboBox to the hidden column, and the other one will be displayed. You can access the visible data with the Text property, and the hidden data with the Value property.

With me so far? Give it a try ...

Raedr · Answer 2 · 2024-07-15T21:46:00

First of all, I would like to thank you very much
For anyone trying to help with programming
I didn't achieve anything after many attempts
What I need from this code is:
I have a Combobox. Choose a search method by barcode, product name, or company
I also have a textbox that I write in after choosing the search method, either barcode, name, or company
The search results appear on DatagardView
This is what is required
thank you

System.data.sqlclient.sqlexception: 'incorrect syntax near the keyword 'like'.'

2 solutions

Solution 1

Solution 4

Add your solution here

Preview 0