SQlite Like % supported

I keep running into an error when I try to use the SQLite like %

sql = "SELECT * FROM us WHERE " + searchmenu.text + " LIKE %" + searchfield.text + "%  ORDER BY zip"

It tells me % is syntax error, but SQLite website displays LIKE and the wildcard % as legal syntax

Try this:

sql = “SELECT * FROM us WHERE " + searchmenu.text + " LIKE '%” + searchfield.text + “%’ ORDER BY zip”

OK found my error needed a ’ before and after the two %'s

Holy SQL injections batman!
Have you looked into prepared statements?

[quote=341190:@Tim Parnell]Holy SQL injections batman!
Have you looked into prepared statements?[/quote]

On a desktop app? Also I sanitize the search text as well.

uh… yes… no reason to limit where and how your apply good habits and techniques. :slight_smile:

Does anyone know if we need more than just a replace all to remove single quotes here?
Just wondering what may go wrong otherwise.

[quote=341188:@Michael Eckert]Try this:

sql = “SELECT * FROM us WHERE " + searchmenu.text + " LIKE '%” + searchfield.text + “%’ ORDER BY zip”[/quote]

Michael,

You must have been posting when as I was, thanks it was the single quote.

I have restructured the query to prevent injections. Thanks everyone

[quote=341194:@Christian Schmitz]Does anyone know if we need more than just a replace all to remove single quotes here?
Just wondering what may go wrong otherwise.[/quote]
You can’t do that. If the user wants an apostrophe, you need to double up the single quotes. Better to use prepared statements just to be safe.