Sqlite query like problem

Stefano_Riva · February 27, 2015, 7:26am

Hi,
I have problemi with a query, in another Language that I use it’s working well (autoit).

  querysql = "SELECT * FROM MYTAB WHERE ("
  querysql = querysql + "MYTAB.NAME"+" LIKE %" + txt_Find.Text + "%)"

It return error near “%”
where is the problem ?

Thank you for the support.

Jürg_Otter · February 27, 2015, 8:55am

i guess the error is near %

querysql = "SELECT * FROM MYTAB WHERE MYTAB.NAME LIKE '%" + txt_Find.Text + "%'"

Hamish_Symington · February 27, 2015, 9:02am

Just a quick note: this approach is vulnerable to injection attacks if you’re not sanitising txt_Find.Text (which it looks like you’re not). EG, someone could search for the text

which could delete your table MYTAB.
Have a look at Prepared Statements, which will avoid this.

Sascha_S · February 27, 2015, 9:38am

[quote=171112:@Stefano Riva]querysql = “SELECT * FROM MYTAB WHERE (”
querysql = querysql + “MYTAB.NAME”+" LIKE %" + txt_Find.Text + “%)”[/quote]

Try

[code]Dim ps As mySQLPreparedStatement
Dim rs As RecoedSet
Dim strSearch As String = “%” + Find.Text + “%”
ps = DatabaseObject.Prepare(“SELECT * FROM MYTAB WHERE (? LIKE ?)”)

ps.Bind(0, MYTAB.NAME.ConvertEncoding(Encodings.the_Table_Encoding))
ps.BindType(0, mySQLPreparedStatement.String…)
ps.Bind(1, strSearch.ConvertEncoding(Encodings.the_Table_Encoding))
ps.BindType(1, mySQLPreparedStatement.String…)

rs = ps.SQLExecute

While rs <> Nil And Not rs.EOF
…
Wend[/code]

Written from my mind - Not tested

Sascha_S · February 27, 2015, 9:39am

[quote=171132:@Sascha S][code]ps = DatabaseObject.Prepare(“SELECT * FROM MYTAB WHERE (? LIKE ?)”)

ps.Bind(0, MYTAB.NAME.ConvertEncoding(Encodings.the_Table_Encoding))
ps.BindType(0, mySQLPreparedStatement.String…)
ps.Bind(1, strSearch.ConvertEncoding(Encodings.the_Table_Encoding))
ps.BindType(1, mySQLPreparedStatement.String…)[/code][/quote]

or

[code]ps = DatabaseObject.Prepare(“SELECT * FROM MYTAB WHERE (” + MYTAB.NAME + " LIKE ?)")

ps.Bind(0, strSearch.ConvertEncoding(Encodings.the_Table_Encoding))
ps.BindType(0, mySQLPreparedStatement.String…)[/code]

Simon_Berridge · February 27, 2015, 10:51am

Everybody is right to advise a prepared statement.

However…

The problem you have is that you are missing single quote marks (’) before and after the % signs in your sql.

Stefano_Riva · February 27, 2015, 6:17pm

I thank everyone for the support, tomorrow I’ll try your solutions. Thank You.