Full Text Search query without stored procedure

M

Mate

I am trying to execure this query in C#, but I can not. It is well when I
use string with quotes instead @SearchTerm parameter (it is not good because
of SQL Injection).

Can I use full text search ad-hoc query with parameters or I need to use
stored procedures?

This is my code:

SQL = @"SELECT * FROM IndexedPages a JOIN CONTAINSTABLE(IndexedPages,
(Title, PageText), 'ISABOUT(@SearchTerm WEIGHT(.1))') ct ON a.ID = ct.[KEY]
ORDER BY RANK DESC";

myCommand = new SqlCommand(SQL, SqlConn);

myCommand.Parameters.Add(new SqlParameter("@SearchTerm", SearchTerm));

DAdapter.SelectCommand = myCommand;

DSet = new DataSet(); DAdapter.Fill(DSet);
 
G

Guest

I am trying to execure this query in C#, but I can not. It is well when I
use string with quotes instead @SearchTerm parameter (it is not good because
of SQL Injection).

Can I use full text search ad-hoc query with parameters or I need to use
stored procedures?

This is my code:

SQL = @"SELECT * FROM IndexedPages a JOIN CONTAINSTABLE(IndexedPages,
(Title, PageText), 'ISABOUT(@SearchTerm WEIGHT(.1))') ct ON a.ID = ct.[KEY]
ORDER BY RANK DESC";

myCommand = new SqlCommand(SQL, SqlConn);

myCommand.Parameters.Add(new SqlParameter("@SearchTerm", SearchTerm));

DAdapter.SelectCommand = myCommand;

DSet = new DataSet(); DAdapter.Fill(DSet);
Click to expand...

Use string concatenation:

SQL = @"SELECT * FROM IndexedPages a JOIN CONTAINSTABLE(IndexedPages,
(Title, PageText), 'ISABOUT(" + x + @" WEIGHT(.1))') ct ON a.ID = ct.
[KEY]
ORDER BY RANK DESC";

and do not forget about sql injections, replace ['] by [''] and [;] by
[ ]

In a stored procedure you will also need to concatenate the strings
because you can't put the parameter inside the literal value. You will
need to have something like this

declare @x nvarchar(50)
set @x='ISABOUT(' + ... +' WEIGHT(.1))'

SELECT * FROM files a JOIN CONTAINSTABLE(files,
(filedata), @x) ct ON a.ID = ct.[KEY]
ORDER BY RANK DESC

Hope this helps
 
G

Gregory A. Beamer

Mate said:
I am trying to execure this query in C#, but I can not. It is well
when I use string with quotes instead @SearchTerm parameter (it is not
good because of SQL Injection).

Can I use full text search ad-hoc query with parameters or I need to
use stored procedures?

This is my code:

SQL = @"SELECT * FROM IndexedPages a JOIN CONTAINSTABLE(IndexedPages,
(Title, PageText), 'ISABOUT(@SearchTerm WEIGHT(.1))') ct ON a.ID =
ct.[KEY] ORDER BY RANK DESC";

myCommand = new SqlCommand(SQL, SqlConn);

myCommand.Parameters.Add(new SqlParameter("@SearchTerm", SearchTerm));

DAdapter.SelectCommand = myCommand;

DSet = new DataSet(); DAdapter.Fill(DSet);
Click to expand...


Parameters do not work the way you are attempting. They are not merely
pointers in a string.

Of the options you present, I would opt for a stored procedure over
concatenation, but that is a personal preference. Alexy has given
another good option, but heed his injection warning.

If nothing else, run through some form of encoder before submitting.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

insert stored procedure 4
stored procedure takes too much time to execute 7
error msg help needed on stored procedure 4
Creating an SQLDB search using a stored procedure 1
returning output vars from nested stored procedure 1
VB.Net Stored Procedures 2
Obtaining the return code from a stored procedure 2
How to get the returned value from Stored Proc. ? 2

Members online

Total: 29 (members: 2, guests: 27)
Robots: 421

Forum statistics

Threads
473,768
Messages
2,569,574
Members
45,048
Latest member
verona

Latest Threads

Top