Why isn't my parameterized query working?
I have a kinda complex query, basically I search the database in most fields for a string or strings. If it's multiple strings, the database field must match all parts of the strings.
This is the base sql that the query is built on:
SELECT开发者_StackOverflow中文版 wo.ID, {columns} FROM tblWorkOrder wo
LEFT JOIN tblWorkOrderCategory wc
ON wo.CategoryID = wo.ID
LEFT JOIN tblTenant t
ON wo.TenantID = t.ID
LEFT JOIN tblProperty p
ON wo.PropertyID = p.ID
LEFT JOIN tblRentalUnit ru
ON wo.UnitID = ru.ID
Columns is replaced with this list:
"wo.Date", "wo.WorkDesc", "wo.Priority", "wo.WorkDoneBy", "wo.EstimatedCost", "wo.DueDate", "wo.ActualCost", "wo.FinishedDate", "wo.workOrderNum",
"wc.[Description]",
"t.TenantName",
"p.PropertyName",
"ru.UnitNumber"
and this is how I build the query:
String[] parts = txtSearch.Text.Split(' ');
foreach (String column in columnsToSearch) {
String clause = " (";
for (int i = 0; i < parts.Length; i++) {
clause += column + " LIKE '%@param" + i + "%' ";
if (i + 1 != parts.Length) {
clause += "AND ";
}
}
clause = clause.TrimEnd() + ") ";
sql += clause + " OR ";
}
sql = sql.TrimEnd(new char[] { 'O', 'R', ' ' });
using (SqlConnection conn = new SqlConnection(RentalEase.Properties.Settings.Default.RentalEaseConnectionString)) {
SqlCommand command = new SqlCommand(sql, conn);
for (int i = 0; i < parts.Length; i++) {
command.Parameters.Add("@param" + i, SqlDbType.NVarChar).Value = parts[i];
//command.CommandText = command.CommandText.Replace("@param" + i, parts[i]);
}
Only this always returns no rows. However, in the for loop that assigns the parameter values, if I comment out the Parameters.Add line and uncomment the one below it, I wind up with results like I should be seeing. As this is an unsafe way to do it, I'd like to know why using parameters is failing.
You are looking for the literal '@Param'
; you mean:
... LIKE '%' + @param" + i + " + '%' ...
so that the TSQL is:
... LIKE '%' + @param2 + '%' ...
Or simpler; put the '%'
into the value in the calling code; then your code becomes:
... LIKE @param" + i + " ...
and the TSQL becomes:
... LIKE @param2 ...
Use SQL Profiler - you'll see exactly what gets sent to SQL Server, including all your parameters and their values.
Copy and paste that into SQL Server Mgmt Studio and run it - I'm sure you'll find out what's causing the issue... or if not, you can always post the parametrized query here and we'll help again :-)
精彩评论