Use something like this:
LIKE ?in the SQL.
Then bind it to text that has the values concatenated:
BindValue(2, "%" + value + "%")Paul’s method has always worked for me.
As an old fart… who’s never used bind, always created an explicit string or used the replace function, what’s the advantage of using bind?
Safety. Prepared statements are the only safe way to protect yourself from injection attacks.