No rows returned using SQLiteParameters, but rows returned with direct query

Lost User

Yes, because parameter names must be entered 'as is', not quoted.

Uranium 235

do you know why the % char isnt being escaped?

Lost User

Not sure what you mean, I thought is was the wildcard character for the LIKE phrase.

Uranium 235

yes, but if it's put into the textbox, it's queried as LIKE %%% which matches everything

Lost User

I'm sorry, you have lost me. What has a TextBox got to do with SQL statements?

Uranium 235

it's a search query for a database, text input box

Lost User

Yes, but that has nothing to do with creating a valid SQL statement. The textbox is provided by the user, so your code should verify that it contains valid data. You then take the validated text and store into one of the SQL Parameters which get passed in to he execution module. Do not assume that the user knows what he or she is doing and just accept whatever they type. Many times it will be wrong, mist-typed, not understanding what is required, etc.

Uranium 235

I thought SQLLiteParameter sanitizes or at least escapes special characters

Lost User

Sorry, I don't know, you would need to check the documentation.

Richard Deeming

Parameters don't "sanitize" or "escape" special characters. They pass parameters across completely separately from the command text, so that there is no way for the database engine to get confused and treat part of the parameter as part of the command. Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^] How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]

"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer