Mixing prepared statement parts?

So, as apparently many before me have, i am entering the “it’s time to use prepared statements” era. Right now I have put together an SQL select statemet where the GUI uses a mix of segmented controls and one text field.

In the code below, the rating = ‘BB’ and Main.number LIKE ‘5.%’ and made using the segmented controls, no there is no danger of invalid or malicious user input there (if i understand correctly) but the Main.text LIKE ‘%180%’ is user input.

SELECT * FROM Main WHERE rating = 'BB'  AND upper( Main.number LIKE '5.%') AND upper(Main.text LIKE '%180%')

So, my question is, can I make a prepared statement where everything is “as is” and only use the preparedstatment for the …text LIKE part?

Something like:

SELECT * FROM Main WHERE rating = 'BB'  AND upper( Main.number LIKE '5.%') AND upper(Main.text LIKE ?)

Or do I need to make a complete prepared statement like this (I guess):

SELECT * FROM Main WHERE rating = ?  AND upper( Main.number LIKE ?) AND upper(Main.text LIKE ?)

Just trying to get started on the right track.

Also, I’m guessing, since no-one ever seems to explicitly point this out that binding just goes in chronological order first “bind” to the first “?”

You don’t have to use ‘?’ for everything in your query, only the parts with inputs.

You need to tell the db what to bind to.
(Depending on db…)

stmt.BindType(0, SQLitePreparedStatement.SQLITE_TEXT) stmt.Bind(0, TextField1.Text)

Where 0 is the first ‘?’ in your query.

As a side note: In PostgreSQL you don’t need to use BindType