Parameterized LIKE results in fail ---------------------------------- Key: DNET-976 URL: http://tracker.firebirdsql.org/browse/DNET-976 Project: .NET Data provider Issue Type: Bug Components: NuGet packages Affects Versions: 7.5.0.0 Environment: Windows 10 2004, Visual Studio 2019 Community Edition 16.7.7
Server runs on Windows Server 2019 Firbird Server 2.5.9 Reporter: Marvin Klein Assignee: Jiri Cincura Consider the following scenario. Table: CUSTOMERS Fields: CUSTOMER_FIRSTNAME VARCHAR(10) CUSTOMER_LASTNAME VARCHAR(15) Now I have the follwing C# code // Create connection // Create Command command.Parameters.AddWithValue("@SEARCH", $"%{search.ToUpper()}%"); command.CommandText = "SELECT * FROM CUSTOMERS WHERE CUSTOMER_FIRSTNAME LIKE @SEARCH OR CUSTOMER_LASTNAME LIKE @SEARCH"; command.ExecuteQuery(); // do something with the command. This works fine as long as my parameter search does not exceed 10 characters. When you try this command with more than 10 characters, you get an exception. However, doing the following does not result in an exception: command.CommandText = $"SELECT * FROM CUSTOMERS WHERE CUSTOMER_FIRSTNAME LIKE '%{search.ToUpper()}%' OR CUSTOMER_LASTNAME LIKE '%{search.ToUpper()}%' "; command.ExecuteQuery(); // do something with the command, no exception But using this way I am vulnerable to SQL-Injections. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://tracker.firebirdsql.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira _______________________________________________ Firebird-net-provider mailing list Firebird-net-provider@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/firebird-net-provider