Correct way to escape values in LIKE pattern matches

Rudism · October 8, 2015, 7:11pm

When building raw SQL queries I’ll use SqlFmt to inject parameters:

"SELECT * FROM mytable WHERE mycolumn={0}".SqlFmt(myValue);

Is there a way to do something similar when you want to use a value as part of a pattern match? Something like this (which doesn’t work because the value gets double-quoted):

"SELECT * FROM mytable WHERE mycolumn ILIKE '{0}%'".SqlFmt(myValue);

I would like to use potentially dangerous user-provided values as search terms in a safe way.

mythz · October 8, 2015, 7:13pm

What about?

"SELECT * FROM mytable WHERE mycolumn ILIKE {0}".SqlFmt(myValue + "%");

Rudism · October 8, 2015, 7:27pm

Oh yeah, duh. For some reason I was thinking that SqlFmt stripped or escaped the metacharacters but of course it wouldn’t do that.