how to search a database with a stored procedure?

[wilco]

hello,

can any one tell me how to create a stored procedure that is beable to
search a table, or more table's and can make use of wildcards?
i just made somthing like this,:
SELECT * FROM tblUsers WHERE Adress LIKE '* Value from user how wants to
search the database *'
but I don't know where to place the @??? for the input
i also wants to make the user can select witch table and field he want's to
search.

thanks!!

[Jerry III]

And when you do it like this someone will sumbit "%' GO DELETE tblUsers --"
in your input box and wipe out your table (if the database user has enough
privileges to do so).

A better solution is to use the command object, like this:

OleDbCommand cmd = new OleDbCommand();

cmd.CommandText = "SELECT * FROM [tblUsers] WHERE [Address] LIKE @address";
cmd.Parameters.Add("@address", "%" + txtAddress.Text + "%");

Jerry

"David Wier" <dwier@nospamASPNet101.com> wrote in message
news:%239pMFNrWDHA.1680@tk2msftngp13.phx.gbl...

> Dim sAddress as String
> sAddress=txtAddress.text
> SQL = "SELECT * FROM tblUsers WHERE Adress Like '%" & sAddress & "%'"
>
> Put the % sign on the front and at the end, in order to search the entire
> field
>
> Check out this 2 Part Tutorial on Parameterized Queries:
> [url]http://aspnet101.com/aspnet101/tutorials.aspx?id=1[/url]
>
> LIKE is covered in Part 2
>
> David Wier
> [url]http://aspnet101.com[/url]
> [url]http://aspexpress.com[/url]
>
>
> "wilco" <wilco.bikker@hetnet.nl> wrote in message
> news:bgm62m$oou$1@reader11.wxs.nl...

> > hello,
> >
> > can any one tell me how to create a stored procedure that is beable to
> > search a table, or more table's and can make use of wildcards?
> > i just made somthing like this,:
> > SELECT * FROM tblUsers WHERE Adress LIKE '* Value from user how wants to
> > search the database *'
> > but I don't know where to place the @??? for the input
> > i also wants to make the user can select witch table and field he want's

> to

> > search.
> >
> > thanks!!
> >
> >

>
>

[Xavier MT]

Can I ask what is the difference?

I just want to understand it....

"Jerry III" <jerryiii@hotmail.com> wrote in message
news:%23Z1C%23ssWDHA.1480@tk2msftngp13.phx.gbl...

> And when you do it like this someone will sumbit "%' GO DELETE

tblUsers --"

> in your input box and wipe out your table (if the database user has enough
> privileges to do so).
>
> A better solution is to use the command object, like this:
>
> OleDbCommand cmd = new OleDbCommand();
>
> cmd.CommandText = "SELECT * FROM [tblUsers] WHERE [Address] LIKE

@address";

> cmd.Parameters.Add("@address", "%" + txtAddress.Text + "%");
>
> Jerry
>
> "David Wier" <dwier@nospamASPNet101.com> wrote in message
> news:%239pMFNrWDHA.1680@tk2msftngp13.phx.gbl...

> > Dim sAddress as String
> > sAddress=txtAddress.text
> > SQL = "SELECT * FROM tblUsers WHERE Adress Like '%" & sAddress & "%'"
> >
> > Put the % sign on the front and at the end, in order to search the

entire

> > field
> >
> > Check out this 2 Part Tutorial on Parameterized Queries:
> > [url]http://aspnet101.com/aspnet101/tutorials.aspx?id=1[/url]
> >
> > LIKE is covered in Part 2
> >
> > David Wier
> > [url]http://aspnet101.com[/url]
> > [url]http://aspexpress.com[/url]
> >
> >
> > "wilco" <wilco.bikker@hetnet.nl> wrote in message
> > news:bgm62m$oou$1@reader11.wxs.nl...

> > > hello,
> > >
> > > can any one tell me how to create a stored procedure that is beable to
> > > search a table, or more table's and can make use of wildcards?
> > > i just made somthing like this,:
> > > SELECT * FROM tblUsers WHERE Adress LIKE '* Value from user how wants

to

> > > search the database *'
> > > but I don't know where to place the @??? for the input
> > > i also wants to make the user can select witch table and field he

want's

> > to

> > > search.
> > >
> > > thanks!!
> > >
> > >

> >
> >

>
>