How to use wildcards with SQLite paramaters? - sql

I'm having trouble figuring out how to use wildcards with parameters in SQLite.
Here's the code I'm trying to get working:
#GamePara='Desert';
SELECT
GameName
FROM Games
WHERE GameName LIKE '%' + #GamePara + '%';
This code returns no results. It is supposed to return all fields which include the string 'Desert' in GameName.
If I replace the parameter with the desired value directly, as shown below, I am able to get the desired results.
SELECT
GameName
FROM Games
WHERE GameName LIKE '%Desert%';
I've not had much experience with SQL parameters in general, so it's possible that my issue could exist with other versions of SQL as well.
MODERATOR EDIT:
Note: It is very bad habit to delete question after getting correct answer.
USER EDIT: Sorry, I hadn't seen that the question had been answered when I deleted it (I hadn't refreshed the page). I deleted the question because I realised that I asked the wrong question. The issue that I was having was that I couldn't set parameters the same way as in MySQL. (#GamePara='Desert'; returned the message Error: near "#GamePara": syntax error). I had tried the || concatenation, but the parameter setting was the issue.

Use || for string concatenation:
The || operator is "concatenate" - it joins together the two strings
of its operands.
#GamePara='Desert';
SELECT
GameName
FROM Games
WHERE GameName LIKE '%' || #GamePara || '%';
Compare:
SELECT 'a' + 'b', 'a' || 'b'
-- 0 vs ab

Related

How to search a string in list in sql?

I have been using sql for quite a time but unable to figure out below query logic.
I'm extracting two values
First_name i.e abc
FIRST_NAMES_LIST (list containing first names) i.e ['abc','abc','cba','dba'] (this may contain junk values also in between strings)
I trying to search first_name in first_name_list and return 1 or 0, using below logic
CASE FIRST_NAME in FIRST_NAMES_LIST then 1
else 0
but this isn't giving correct result
Can somebody please help.
Thanks,
Naseer
Look this information:
https://www.techonthenet.com/oracle/functions/instr.php
INSTR is a function which return <> 0 if your parameter match. If not it return 0.
I no have any clear example in your ennunciate to give you the correct answer. See the functionalities.
Regards!
Ideally you would parse out your json into a table object ( I don't know how to do that in Oracle) and then search your table object where the object contains the value, but that is pretty expensive. It would be more robust and would be able to handle special characters/corner cases better.
On the other hand, if the names are going to stay simple (ie, no quote marks ' or commas), you could use a LIKE expression and search the string.
CASE WHEN FIRST_NAMES_LIST LIKE '%''' + FIRST_NAME + '''%' THEN 1 ELSE 0 END
Yes im currently using INSTR but query is taking bit of time. hope resolves this issue. thanks.

Check if string is found in one of multiple columns in SQL

I want to search a string in multiple columns to check if it exists in any.
I found a solution for it here
The answer by Thorsten is short but that is a solution for mysql server not for SQL Server.
So I would like to apply similar query in SQL Server.
Here is the query suggested by Thorsten.
Select *
from tblClients
WHERE name || surname LIKE '%john%'
I tried it as
/* This returns nothing */
Select *
from Items
Where ISNULL(Code, '') + ISNULL(Code1, '') = '6922896068701';
Go
/* This generate error Msg 102, Level 15, State 1, Line 3
Incorrect syntax near '|'.
I also used this one in mysql but it does not show the exact match.
*/
Select *
from Items
WHERE Code || Code1 = '6922896068701';
Go
/* This generate error Msg 4145, Level 15, State 1, Line 5
An expression of non-boolean type specified in a context where a condition is expected, near 'Or'. */
Select *
from Items
WHERE Code Or Code1 = '6922896068701';
Go
Is it really possible in SQL Server?
Note: The answer by J__ works accurately in the upper Question link but I want the comparison string to be entered once for all columns where I look for it like Thorsten.
Actually I think that separate logical checks in the WHERE clause for each column is the way to go here. If you can't do that for some reason, consider using a WHERE IN (...) clause:
SELECT *
FROM Items
WHERE '6922896068701' IN (Code, Code1);
If instead you want LIKE logic, then it gets tricky. If you knew that the matching codes would always consist of numbers/letters, then you could try:
SELECT *
FROM Items
WHERE ',' + Code + ',' + Code1 + ',' LIKE '%,6922896068701,%';
I would recommend doing the two comparisons separately:
WHERE name LIKE '%john%' OR
surname LIKE '%john%'
Unless you specifically want to find times when the names are combined, such as "Maryjoh" "Needlebaum" or whatever.
It is generally better to focus on one column at a time, because that helps the optimizer.
For MS SQL this may work;
Select *
from Items
WHERE Code = '6922896068701' Or Code1 = '6922896068701'

Replace Value Of Fields Before Searching

To Increase Speed of search in the database, i want to do something like this:
If field TheFieldName (without any space in it) was equal with test then show the record(s)
how can i do it?
This did'nt work for me:
"SELECT * FROM TheTableName WHERE REPLACE(TheFieldName, ' ', '')=test"
Error: Undefined function 'REPLACE' in expression
It seems unlikely to me that replace() is not known in SQL Server (or almost any other database). But, check to be sure you are using the database you think you are.
Your query, as written, does have an error -- because you seem to want test as a string. Does the query really look like this:
SELECT *
FROM TheTableName
WHERE REPLACE(TheFieldName, ' ', '') = 'test';
Note the quotes around 'test'.
This should work.
"SELECT * FROM TheTableName WHERE rtrim(ltrim(TheFieldName))=test"

Can 2 character length variables cause SQL injection vulnerability?

I am taking a text input from the user, then converting it into 2 character length strings (2-Grams)
For example
RX480 becomes
"rx","x4","48","80"
Now if I directly query server like below can they somehow make SQL injection?
select *
from myTable
where myVariable in ('rx', 'x4', '48', '80')
SQL injection is not a matter of length of anything.
It happens when someone adds code to your existing query. They do this by sending in the malicious extra code as a form submission (or something). When your SQL code executes, it doesn't realize that there are more than one thing to do. It just executes what it's told.
You could start with a simple query like:
select *
from thisTable
where something=$something
So you could end up with a query that looks like:
select *
from thisTable
where something=; DROP TABLE employees;
This is an odd example. But it does more or less show why it's dangerous. The first query will fail, but who cares? The second one will actually work. And if you have a table named "employees", well, you don't anymore.
Two characters in this case are sufficient to make an error in query and possibly reveal some information about it. For example try to use string ')480 and watch how your application will behave.
Although not much of an answer, this really doesn't fit in a comment.
Your code scans a table checking to see if a column value matches any pair of consecutive characters from a user supplied string. Expressed in another way:
declare #SearchString as VarChar(10) = 'Voot';
select Buffer, case
when DataLength( Buffer ) != 2 then 0 -- NB: Len() right trims.
when PatIndex( '%' + Buffer + '%', #SearchString ) != 0 then 1
else 0 end as Match
from ( values
( 'vo' ), ( 'go' ), ( 'n ' ), ( 'po' ), ( 'et' ), ( 'ry' ),
( 'oo' ) ) as Samples( Buffer );
In this case you could simply pass the value of #SearchString as a parameter and avoid the issue of the IN clause.
Alternatively, the character pairs could be passed as a table parameter and used with IN: where Buffer in ( select CharacterPair from #CharacterPairs ).
As far as SQL injection goes, limiting the text to character pairs does preclude adding complete statements. It does, as others have noted, allow for corrupting the query and causing it to fail. That, in my mind, constitutes a problem.
I'm still trying to imagine a use-case for this rather odd pattern matching. It won't match a column value longer (or shorter) than two characters against a search string.
There definitely should be a canonical answer to all these innumerable "if I have [some special kind of data treatment] will be my query still vulnerable?" questions.
First of all you should ask yourself - why you are looking to buy yourself such an indulgence? What is the reason? Why do you want add an exception to your data processing? Why separate your data into the sheep and the goats, telling yourself "this data is "safe", I won't process it properly and that data is unsafe, I'll have to do something?
The only reason why such a question could even appear is your application architecture. Or, rather, lack of architecture. Because only in spaghetti code, where user input is added directly to the query, such a question can be ever occur. Otherwise, your database layer should be able to process any kind of data, being totally ignorant of its nature, origin or alleged "safety".

SQL syntax to look for a specific figure among a number in Teradata

I'm looking for, how to search for a specific digit inside a numeric column in Teradata. I managed to do it for char type with
SELECT * from Table WHERE CharColumn LIKE ('%SearchedChar%')
but it doesn't seem to work with numeric values.
Thanks for your help.
EDIT :
I need this because i'm coding a .NET function to generate teradata queries from what a user types in a textbox.
LIKE ('%'+ (CAST(myNumber AS CHAR))+'%') is SQL Server syntax, of course this fails in Teradata :-)
+ is a numeric operator in Standard SQL while || concatenates strings:
WHERE CharColumn LIKE '%' || CAST(myNumber AS CHAR) || '%'
Of course searching for a digit within a number indicates a wrong datatype...
Use the convert function, but as mentioned below:
Declare #Digit int = 9 --Digit that you want to search
SELECT * FROM Table
WHERE CONVERT(varchar(10), NumColumn) LIKE ('%'+ CONVERT(varchar(10), #Digit) +'%')