«

hello,

can any one tell me how to create a stored procedure that is beable to
search a table, or more table's and can make use of wildcards?
i just made somthing like this,:
SELECT * FROM tblUsers WHERE Adress LIKE '* Value from user how wants to
search the database *'
but I don't know where to place the @??? for the input
i also wants to make the user can select witch table and field he want's to
search.

thanks!!

And when you do it like this someone will sumbit "%' GO DELETE tblUsers --"
in your input box and wipe out your table (if the database user has enough
privileges to do so).

A better solution is to use the command object, like this:

OleDbCommand cmd = new OleDbCommand();

cmd.CommandText = "SELECT * FROM [tblUsers] WHERE [Address] LIKE @address";
cmd.Parameters.Add("@address", "%" + txtAddress.Text + "%");

Jerry

"David Wier" <> wrote in message
news:%...
> Dim sAddress as String
> sAddress=txtAddress.text
> SQL = "SELECT * FROM tblUsers WHERE Adress Like '%" & sAddress & "%'"
>
> Put the % sign on the front and at the end, in order to search the entire
> field
>
> Check out this 2 Part Tutorial on Parameterized Queries:
> http://aspnet101.com/aspnet101/tutorials.aspx?id=1
>
> LIKE is covered in Part 2
>
> David Wier
> http://aspnet101.com
> http://aspexpress.com
>
>
> "wilco" <> wrote in message
> news:bgm62m$oou$...
> > hello,
> >
> > can any one tell me how to create a stored procedure that is beable to
> > search a table, or more table's and can make use of wildcards?
> > i just made somthing like this,:
> > SELECT * FROM tblUsers WHERE Adress LIKE '* Value from user how wants to
> > search the database *'
> > but I don't know where to place the @??? for the input
> > i also wants to make the user can select witch table and field he want's
> to
> > search.
> >
> > thanks!!
> >
> >
>
>

Can I ask what is the difference?

I just want to understand it....

"Jerry III" <> wrote in message
news:%23Z1C%...
> And when you do it like this someone will sumbit "%' GO DELETE
tblUsers --"
> in your input box and wipe out your table (if the database user has enough
> privileges to do so).
>
> A better solution is to use the command object, like this:
>
> OleDbCommand cmd = new OleDbCommand();
>
> cmd.CommandText = "SELECT * FROM [tblUsers] WHERE [Address] LIKE
@address";
> cmd.Parameters.Add("@address", "%" + txtAddress.Text + "%");
>
> Jerry
>
> "David Wier" <> wrote in message
> news:%...
> > Dim sAddress as String
> > sAddress=txtAddress.text
> > SQL = "SELECT * FROM tblUsers WHERE Adress Like '%" & sAddress & "%'"
> >
> > Put the % sign on the front and at the end, in order to search the
entire
> > field
> >
> > Check out this 2 Part Tutorial on Parameterized Queries:
> > http://aspnet101.com/aspnet101/tutorials.aspx?id=1
> >
> > LIKE is covered in Part 2
> >
> > David Wier
> > http://aspnet101.com
> > http://aspexpress.com
> >
> >
> > "wilco" <> wrote in message
> > news:bgm62m$oou$...
> > > hello,
> > >
> > > can any one tell me how to create a stored procedure that is beable to
> > > search a table, or more table's and can make use of wildcards?
> > > i just made somthing like this,:
> > > SELECT * FROM tblUsers WHERE Adress LIKE '* Value from user how wants
to
> > > search the database *'
> > > but I don't know where to place the @??? for the input
> > > i also wants to make the user can select witch table and field he
want's
> > to
> > > search.
> > >
> > > thanks!!
> > >
> > >
> >
> >
>
>