0

Consider the following code:

SqlConnection conn = new SqlConnection(@"connection string");

SqlCommand ourCommand = new SqlCommand(String.Format(
    @"SELECT Field1,Field2,Field3 FROM Tbl WHERE Field1 LIKE '@FL1'"), conn);
ourCommand.CommandTimeout = 6000;

ourCommand.Parameters.AddWithValue("@FL1", TextBox1.Text);

SqlDataAdapter adapter = new SqlDataAdapter(ourCommand);
DataTable dt = new DataTable();

conn.Open();
adapter.Fill(dt);
GridView1.DataSource = dt;

GridView1.DataBind();

The problem is that datatable is empty - which means the command either was not executed or incorrect query was generated. What am I missing? Connection and query are valid. The command without parameter also works. Database engine is SQL Server 2008 R2

Improve this question
3
  • 4
    Try removing the single quotes from around the parameter '@FL1' --> @FL1 Commented Aug 2, 2012 at 14:43
  • Do you get results when running the same query (manually adding the value for the parameter) from the SQL Management Studio? Commented Aug 2, 2012 at 14:44
  • What data are you passing from TextBox1.Text? Is it something like "%sometext%"? I.e. if you execute query by itself with the same parameter (in SSMS for example) - does it return results? Commented Aug 2, 2012 at 14:44

6 Answers 6

Reset to default
6

You've put the parameter name in quotes, so it's being treated as a value, not as a parameter. Try this instead:

"SELECT Field1,Field2,Field3 FROM Tbl WHERE Field1 LIKE @FL1"

(I'd actually expect your existing code to throw an exception given that you're supplying more parameters than are in the SQL...)

As noted in comments, you don't need the string.Format either.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

And that string.Format doesn't have an overload that only takes a single parameter...
Thanks to all, that's correct. One more question: will such usage of parameters protect from SQL injection?
@Oded: Yes it does - because of the params array. String.Format("foo") is equivalent to String.Format("Foo", new object[])
@seeker: Yes, it's fine - the value isn't part of the SQL, hence there's no injection risk.
@JonSkeet - I see. Didn't consider that the compiler will send an empty array if nothing was supplied...
5

Your query is not a well formatted query.

Instead of:

String.Format(
    @"SELECT Field1,Field2,Field3 FROM Tbl WHERE Field1 LIKE '@FL1'")

Use: 

"SELECT Field1,Field2,Field3 FROM Tbl WHERE Field1 LIKE @FL1"

Note that there is no need for string.Format, nor to enclose the parameter name in '' and since there is nothing to escape in the string, no need for it to be a verbatim string literal (using the @), as Jon commented.

Improve this answer

4 Comments

If parameter will be equal to "'" (apostrophe) then the exception will be thrown and that also mean that it's possible to perform sql injection. How to protect that?
@seeker - No, it will not be vulnerable. Try it. The ADO libraries will escape the single quotes and you will not have a problem.
Yes, that's true. And one more question: what is the best way to store connection strings? In application as string or in web.config?
@seeker - web.config is the standard. It has a connectionStrings section just for this. And it is then configurable, which most application do need.
3

Try changing the line to this (remove the tick marks sorrounding @FL1)

SqlCommand ourCommand=new SqlCommand(
             "SELECT Field1,Field2,Field3 FROM Tbl WHERE Field1 LIKE @FL1",conn);
Improve this answer

2 Comments

Drop the string.Format and you are there.
@Oded ha! was trying to see if anyone was paying attention ;) didn't even notice that myself :D fixed
1

If you are using parameters, you don't need to use single quotes. Take a look on lesson here.

Improve this answer

Comments

1

Well, first, you don't need the string.format or the @'s (you have no escaped chars, your string are on one line, and you aren't using parameterized strings, so there's no reason for either one) Then, you don't need the quotes around @FL1. SqlCommand parses entire string for @'s, not for substrings delimited by quotes. The final code, I believe, should look like this:

SqlCommand ourCommand=new SqlCommand("SELECT Field1,Field2,Field3 FROM Tbl WHERE Field1 LIKE @FL1",conn);

Everything else I think you can keep the same.

Improve this answer

Comments

0

You need to force concatenation with percent % -> 

SELECT Field1,Field2,Field3 FROM Tbl WHERE Field1 LIKE **'%'** + @FL1 + **'%'**
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.