Parameterized LIKE results in fail [DNET976] #895
Assignees
Comments
|
Commented by: @mrotteveel Unfortunately this is a limitation in Firebird, see CORE3559. The workaround is to cast either the parameter or the column to a wider value. For example: where customer_firstname like cast(@search as varchar(100)) |
Modified by: @mrotteveel |
Modified by: @cincuranetpriority: Major [ 3 ] => Minor [ 4 ] Component: http://ADO.NET Provider [ 10041 ] Component: NuGet packages [ 10150 ] => |
|
Commented by: @cincuranet As described by Mark, this is expected behavior. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Submitted by: Marvin Klein (marvinklein)
Relate to CORE3559
Consider the following scenario.
Table: CUSTOMERS
Fields:
CUSTOMER_FIRSTNAME VARCHAR(10)
CUSTOMER_LASTNAME VARCHAR(15)
Now I have the follwing C# code
// Create connection
// Create Command
command.Parameters.AddWithValue("@SEARCH", $"%{search.ToUpper()}%");
command.CommandText = "SELECT * FROM CUSTOMERS WHERE CUSTOMER_FIRSTNAME LIKE @SEARCH OR CUSTOMER_LASTNAME LIKE @SEARCH";
command.ExecuteQuery(); // do something with the command. This works fine as long as my parameter search does not exceed 10 characters.
When you try this command with more than 10 characters, you get an exception. However, doing the following does not result in an exception:
command.CommandText = $"SELECT * FROM CUSTOMERS WHERE CUSTOMER_FIRSTNAME LIKE '%{search.ToUpper()}%' OR CUSTOMER_LASTNAME LIKE '%{search.ToUpper()}%' ";
command.ExecuteQuery(); // do something with the command, no exception
But using this way I am vulnerable to SQL-Injections.
The text was updated successfully, but these errors were encountered: