Why isn't my parameterized query working?_问答_开发者

Why isn't my parameterized query working?

开发者 https://www.devze.com 2023-01-05 12:11 出处：网络

I have a kinda complex query, basically I search the database in most fields for a string or strings. If it\'s multiple strings, the database field must match all parts of the strings.

相关专题：.net-3.5 tsql

I have a kinda complex query, basically I search the database in most fields for a string or strings. If it's multiple strings, the database field must match all parts of the strings.

This is the base sql that the query is built on:

SELECT开发者_StackOverflow中文版 wo.ID, {columns} FROM tblWorkOrder wo
    LEFT JOIN tblWorkOrderCategory wc
    ON wo.CategoryID = wo.ID
    LEFT JOIN tblTenant t
    ON wo.TenantID = t.ID
    LEFT JOIN tblProperty p
    ON wo.PropertyID = p.ID
    LEFT JOIN tblRentalUnit ru
    ON wo.UnitID = ru.ID

Columns is replaced with this list:

            "wo.Date", "wo.WorkDesc", "wo.Priority", "wo.WorkDoneBy", "wo.EstimatedCost", "wo.DueDate", "wo.ActualCost", "wo.FinishedDate", "wo.workOrderNum",
            "wc.[Description]",
            "t.TenantName",
            "p.PropertyName",
            "ru.UnitNumber"

and this is how I build the query:

        String[] parts = txtSearch.Text.Split(' ');
        foreach (String column in columnsToSearch) {
            String clause = " (";
            for (int i = 0; i < parts.Length; i++) {
                clause += column + " LIKE '%@param" + i + "%' ";
                if (i + 1 != parts.Length) {
                    clause += "AND ";
                }
            }
            clause = clause.TrimEnd() + ") ";
            sql += clause + " OR ";
        }
        sql = sql.TrimEnd(new char[] { 'O', 'R', ' ' });

        using (SqlConnection conn = new SqlConnection(RentalEase.Properties.Settings.Default.RentalEaseConnectionString)) {
            SqlCommand command = new SqlCommand(sql, conn);

            for (int i = 0; i < parts.Length; i++) {
                command.Parameters.Add("@param" + i, SqlDbType.NVarChar).Value = parts[i];
                //command.CommandText = command.CommandText.Replace("@param" + i, parts[i]);
            }

Only this always returns no rows. However, in the for loop that assigns the parameter values, if I comment out the Parameters.Add line and uncomment the one below it, I wind up with results like I should be seeing. As this is an unsafe way to do it, I'd like to know why using parameters is failing.

You are looking for the literal '@Param'; you mean:

... LIKE '%' + @param" + i + " + '%' ...

so that the TSQL is:

... LIKE '%' + @param2 + '%' ...

Or simpler; put the '%' into the value in the calling code; then your code becomes:

... LIKE @param" + i + " ...

and the TSQL becomes:

... LIKE @param2 ...

Use SQL Profiler - you'll see exactly what gets sent to SQL Server, including all your parameters and their values.

Copy and paste that into SQL Server Mgmt Studio and run it - I'm sure you'll find out what's causing the issue... or if not, you can always post the parametrized query here and we'll help again :-)