Problem using Sql LIKE in Angularjs

Asked

Viewed 104 times

1

I have been a few days having trouble searching my app using AngularJS and today I was able to discover the reason: During the consultation SQL with LIKE, it is simply not receiving the parameter as it should.

My job is like this:

self.searchAll = function(text) {
  var parameters = [text];

  return DBA.query("SELECT id, place_name FROM tblPlaces WHERE place_name LIKE '%(?)%'", parameters)
    .then(function(result) {
      return DBA.getAll(result);
  });
}

I think because of (?) be glued to the %%, it does not recognize that there should fit the text parameter. I decided to do some tests and put some direct text in the query, without coming by parameter and it worked.

I also tried to concatenate the text, to see if this way would work, because if it worked I could try to pass the parameter this way. But also didn’t work, it returns me an error of Sqlite.

Then I had two questions: Is there the possibility of doing this search using LIKE and receiving this text by parameter the way it is there in the function? Or it would be better if I made a general SELECT, turned it into a JSON object and made use of the Angular filter?

Obs: This search I’m trying to do is on a screen that lists several categories and the user will be able to search for products in general.

sql angularjs

  • your database is Sqlite? and your Angularjs application ?

  • Try to reverse the single aces with the doubles

  • @GOKUSSJ4 Yes. It is an app with Ionic.

  • @Julyanofelipe Inverti the quotation marks, but the problem persists.

1 answer

2

I just tested something that hadn’t even crossed my mind: %% with the parameter already in the variable parameters. And it worked!

self.searchAll = function(nameSearch) {
  var parameters = ["%"+nameSearch+"%"];

  return DBA.query('SELECT id, place_name FROM tblPlaces WHERE place_name LIKE ?', parameters)
    .then(function(result) {
      return DBA.getAll(result);
});
}

  • Good, but this form would not be quite ideal, you would have to have a solution that runs away from the SQL Injection .

  • txtUserId = getRequestString("UserId");
sql = "SELECT * FROM Customers WHERE CustomerId = @0";
command = new SqlCommand(sql);
command.Parameters.AddWithValue("@0",txtUserID);
command.ExecuteReader(); something like that.

  • @GOKUSSJ4 I get it. I’m going to redo here so thank you very much!

  • This example is in C# I don’t know what it’s like using Angularjs.

  • 1

    Right, but still I will search here how to redo this query to escape from SQL Injection.

Browser other questions tagged sql angularjs

You are not signed in. Login or sign up in order to post.