c# - Like clause and prepared statement -

this question has answer here:

• parameterized queries , in conditions 4 answers

i trying make sql request clause, using prepared statement.

here code :

using (sqlconnection connection = new sqlconnection(connectionstring))       {          connection.open();          string query = "select top 10 field table field '@pseudopart%'";                 using (sqlcommand command = new sqlcommand(query, connection))                 {                     command.parameters.addwithvalue("@pseudopart", pseudopart);                     using (sqldatareader reader = command.executereader())                     {                         if (!reader.hasrows)                             return possiblematch;                         while (reader.read())                         {                             possiblematch.add(reader["field"].tostring());                         }                     }                 }             } 

reader empty, doing wrong ?

since using single quote, sees @pseudopart% part string literal, not parameter.

that's why filtering field column @pseudopart% string, not value of pseudopart variable. that's why reader empty.

use instead like;

string query = "select top 10 field table field @pseudopart"; .. command.parameters.addwithvalue("@pseudopart", pseudopart + "%"); 

by way, don't use addwithvalue method. it may generate unexpected results sometimes. use add() method overloads specify parameter sqldbtype , it's size.

and must say, table reserved keyword in t-sql. should use square brackets [table]. database managers don't consider keyword cases (table - table) sql server consider default far know.

best option change non-reserved word.