I'm working on a simple translation application based on C# & SQL Server CE 3.5
I have a search textbox that searches certain columns in database through textBox1.Text with normal SQL query [SELECT.. LIKE '% %']
What I want to achieve : I want to search for all the words after certain symbols (+ for example) in all locations in database , so they don't need to be written in the full context (word after word as they exist in database)
In other words : I want to split words after certain symbols , so that the program search for each word independently (search the word before symbol and each word after symbol separately)
Example: If I tried to search for the value "burden of proof" , I've to write it in the previous context, but for the user this will not apply. So I want him to put a symbol in-between the two words he is willing to search for (namely he should search for "burden+proof")
Picture 1 : https://i.sstatic.net/qBJTV.jpg , Picture 2 : https://i.sstatic.net/CYl0w.jpg
Edit - my search button code :
sqlcmd = new SqlCeCommand
("SELECT * FROM T1 WHERE EnglishWord like '%" + textBox1.Text + "%' OR EnglishDesc like '%" + textBox1.Text + "%' OR ArabicWord like '%" + textBox1.Text + "%' OR ArabicDesc like '%" + textBox1.Text + "%' ", sqlcon);
try
{
listView1.Items.Clear();
sqldr = sqlcmd.ExecuteReader();
while (sqldr.Read())
{
ListViewItem item = new ListViewItem(sqldr["ID"].ToString());
item.SubItems.Add(sqldr["EnglishWord"].ToString());
item.SubItems.Add(sqldr["EnglishDesc"].ToString());
item.SubItems.Add(sqldr["ArabicDesc"].ToString());
item.SubItems.Add(sqldr["ArabicWord"].ToString());
item.SubItems.Add(sqldr["Subject"].ToString());
listView1.Items.Add(item);
}
listView1.Enabled = true;
label7.Text = listView1.Items.Count.ToString();
}
catch (SqlCeException ex)
{
MessageBox.Show("Error: " + ex.Message, "Something wrong");
}
Answer by : Richard Deeming @ CodeProject
Assuming you want to find all records where each word appears in at least one of the four columns, something like this should work:
sqlcmd = sqlcon.CreateCommand();
string[] words = textBox1.Text.Split(new[] { '+' }, StringSplitOptions.RemoveEmptyEntries);
StringBuilder query = new StringBuilder("SELECT * FROM T1 WHERE 1 = 1");
for (int index = 0; index < words.Length; index++)
{
string wordToFind = words[index];
string parameterName = "@word" + index;
sqlcmd.Parameters.AddWithValue(parameterName, "%" + wordToFind + "%");
query.AppendFormat(" AND (EnglishWord Like {0} OR EnglishDesc Like {0} OR ArabicWord Like {0} OR ArabicDesc Like {0})", parameterName);
}
sqlcmd.CommandText = query.ToString();
This will also fix the SQL Injection[^] vulnerability in your code.
If the user searches for burden+proof, the resulting query will look something like this:
SELECT
*
FROM
T1
WHERE
1 = 1
And
(
EnglishWord Like @word0
Or
EnglishDesc Like @word0
Or
ArabicWord Like @word0
Or
ArabicDesc Like @word0
)
And
(
EnglishWord Like @word1
Or
EnglishDesc Like @word1
Or
ArabicWord Like @word1
Or
ArabicDesc Like @word1
)
/*
Parameters:
- @word0 = '%burden%'
- @word1 = '%proof%'
*/