如何？参数和LIKE语句SQL [英] Howto? Parameters and LIKE statement SQL

问题描述

我写一个搜索功能，并想出了用参数prevent，或者至少限制，SQL注入攻击此查询。然而，当我运行它通过我的程序，它不返回任何东西：

I am writing a searching function, and have thought up of this query using parameters to prevent, or at least limit, SQL injection attacks. However, when I run it through my program it does not return anything:

SELECT * FROM compliance_corner WHERE（身体LIKE'％@查询％'）或（标题LIKE'％@查询％'）

能否参数一起使用这个样子？还是仅仅是在一个实例有效，如：

Can parameters be used like this? or are they only valid in an instance such as:

SELECT * FROM compliance_corner WHERE身体LIKE'％＆LT;串＆GT;％（其中＆LT;串＆GT; 是搜索对象）。

SELECT * FROM compliance_corner WHERE body LIKE '%<string>%' (where <string> is the search object).

编辑：我是建设有VB.NET这个功能，这是否对你们作出了贡献语法的影响

I am constructing this function with VB.NET, does that have impact on the syntax you guys have contributed?

另外，我跑在SQL Server中的语句： SELECT * FROM compliance_corner WHERE（身体LIKE'％最大值％'）或（标题LIKE ％最大％'）`并返回结果。

Also, I ran this statement in SQL Server: SELECT * FROM compliance_corner WHERE (body LIKE '%max%') OR (title LIKE %max%')` and that returns results.

推荐答案

您的Visual Basic code会是这个样子：

Your visual basic code would look something like this:

Dim cmd as New SqlCommand("SELECT * FROM compliance_corner WHERE (body LIKE '%' + @query + '%') OR (title LIKE '%' + @query + '%')")

cmd.Parameters.Add("@query", searchString)

这篇关于如何？参数和LIKE语句SQL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！