I am aware of how parameterized queries work, and ive used them in every query not written on the hard drive that I have written so far, however when writing a function to create a dynamic query (for testing purposes) this made me wonder will it be safe to use "as is"
string sql = "SELECT * FROM Table WHERE";
string fullstring = "The quick brown fox jumped over";
string[] words = fullstring.Split(' ');
foreach (string item in words)
{
sql = sql + " Column LIKE '%" + item + "%' AND";
}
sql = sql.Remove(sql.Length - 3);
If I included this in the query, the result would be
SELECT * FROM Table WHERE Column LIKE '%the%' AND Column LIKE '%quick%' AND Column LIKE '%brown%' AND Column LIKE '%fox%' AND Column LIKE '%jumped%' AND Column LIKE '%over%'
, - , , - , , , SELECT * FROM TABLE DROP TABLE , , .. SELECT, *, FROM TABLE
- ?
( : , )