Click here to Skip to main content
15,879,535 members
Search within:


C# select query using LIKE operator on MS Access DB connection
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
C#
MS-Access
I have a C# function accessing an MS Access db

When using the next statements inside my C# query string
"... where im.insp_mission_number like '%1%' ..."
it retrieves all insp_mission_number containing 1

But when i'm using parameters nothing is working
"... where im.insp_mission_number like '%@insp_mission_number%' ..."

where is the problem ?
Is it with @, ', %%, or what ... ?

Thanks in advance

Here is my code

C#
public DataTable getInspectionMissions(InspectionMissionExt ime)
       {
           string query = string.Format("SELECT im.*, i.first_name + i.surname AS inspector_name, b.name AS branch_name, m.name AS ministry_name FROM (((insp_mission AS im left join inspector as i on im.inspector_id = i.id) left join branch as b on im.insp_branch_id = b.id) left join ministry m on im.ministry_id = m.id)where im.insp_mission_number like '%@insp_mission_number%' and im.insp_branch_id = @insp_branch_id and im.inspector_id = @inspector_id and im.ministry_id = @ministry_id");
           OleDbParameter[] oledbParameters = new OleDbParameter[4];
           oledbParameters[0] = new OleDbParameter("@insp_mission_number", OleDbType.VarChar);
           oledbParameters[0].Value = Convert.ToString(ime.insp_mission_number);
           oledbParameters[1] = new OleDbParameter("@insp_branch_id", OleDbType.Integer);
           oledbParameters[1].Value = Convert.ToUInt64(ime.insp_branch_id);
           oledbParameters[2] = new OleDbParameter("@inspector_id", OleDbType.Integer);
           oledbParameters[2].Value = Convert.ToUInt64(ime.inspector_id);
           oledbParameters[3] = new OleDbParameter("@ministry_id", OleDbType.Integer);
           oledbParameters[3].Value = Convert.ToUInt64(ime.ministry_id);
           return conn.executeSelectQuery(query, oledbParameters);
       }
Posted
Updated 9-Sep-13 12:40pm
v3
Add a Solution

1 solution

First of all, I don't know if your database holds sensible data, but the way it is written here, it is really prone to SQL injections. I'd suggest you use stored procedures with parameters instead, to avoid security issues.

But if I look at this, considering the fact that I don't know where the @insp_mission_number parameters comes from, I'd try this:

string query = string.Format("SELECT im.*, i.first_name + i.surname AS inspector_name, b.name AS branch_name, m.name AS ministry_name FROM (((insp_mission AS im left join inspector as i on im.inspector_id = i.id) left join branch as b on im.insp_branch_id = b.id) left join ministry m on im.ministry_id = m.id)where im.insp_mission_number like '%' + @insp_mission_number + '%' and im.insp_branch_id = @insp_branch_id and im.inspector_id = @inspector_id and im.ministry_id = @ministry_id");

But like I said since I don't know where the parameter is defined, I might be wrong.

Hope it helps.
 
Share this answer
 
Posted
Updated 9-Sep-13 13:27pm
v2
Comments
mido_h_89 9-Sep-13 17:28pm    
Thanks for help ...
But actually, that doesn't work.
@insp_mission_number must be included within double quotes. Though, this doesn't solve the problem.

About the SQL injection, how can it be done here ?
Max Methot 12-Sep-13 10:18am    
About the SQL injection, as I said you could go with stored procedures. You use them somthing like this:

public static MyObject Get(string connectionString, InspectionMissionExt ime)
{
//Create the connection object that points to the right MS Access database
OleDbConnection connection = new OleDbConnection(connectionString);

//Open the connection
connection.Open();

//Instatiate the stored procedure by it's name
string storedProcedure = "MyProcedure";

//Create the command that will execute the stored procedure for the given connection
OleDbCommand command = new OleDbCommand(storedProcedure, connection);

//Make sure it is a Stored procedure type of command
command.CommandType = CommandType.StoredProcedure;

//Set the command parameters
command.Parameters.AddWithValue("@insp_mission_number ", ime.insp_mission_number);
command.Parameters.AddWithValue("@insp_branch_id", ime.insp_branch_id);
command.Parameters.AddWithValue("@inspector_id", ime.inspector_id);
command.Parameters.AddWithValue("@ministry_id", ime.ministry_id);

//Create the reader that will read the results of the command
OleDbDataReader reader = command.ExecuteReader();

//Instantiate the object that will be filled with the query results
MyObject myObject = new MyObject;

//If the query gives us results...
if (reader.Read())
{
myObject.Property1 = reader.GetString(0);
myObject.Property2 = reader.GetInt32(1);
myObject.Property3 = reader.GetString(2);
myObject.Property4 = reader.GetDouble(3);
.
.
.
}

return myObject;
}

Your stored procedure in MS Access might be created like:

CREATE PROCEDURE MyStoredProcedureName
(@insp_mission_number VARCHAR,
@insp_branch_id INT,
@inspector_id INT,
@ministry_id INT)
AS

SELECT im.*,
i.first_name + i.surname AS inspector_name,
b.name AS branch_name,
m.name AS ministry_name
FROM (((insp_mission AS im left join inspector as i on im.inspector_id = i.id)
LEFT JOIN branch as b on im.insp_branch_id = b.id)
LEFT JOIN ministry m on im.ministry_id = m.id)
WHERE im.insp_mission_number like '%' + @insp_mission_number + '%'
AND im.insp_branch_id = @insp_branch_id
AND im.inspector_id = @inspector_id
AND im.ministry_id = @ministry_id


By doing it that way, you are safe for SQL injections since you'll be using typed parameters and a remote stored procedure instead of a clear text query in the C# code. It is a good practice to do so.

Once you return your object or value in the C#, you'll be able to do whatever treatment you need to do on it.

Also, it will most likely fix your problem with including the parameters in the SQL query.

I hope it'll help you and I hope I didn't mix up things more than necessary for you!
mido_h_89 21-May-14 5:26am    
Thank u. It really helped
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
Connecting DB tables within file query
operation must use an updateable query ms access
Getting missing operator error in this query in MS access query design
Not able to open DB connection to MS ACCESS DB from Microsoft visual C++ 6.0
Not able to open DB connection to MS ACCESS DB from Microsoft visual C++ 6.0
Operation must use an updateable query.?
The simple select * from query is running from hours without giving any results in MS SQL SERVER. How to fix this?
How to use between operator in access query
Link table Query in MS access
Table Query from an Access MS DB

Advertise
Privacy
Cookies
Terms of Use
Last Updated 9 Sep 2013
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web03 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900