Parameterizing a full text query in sql server

Question

I have a problem using the sql server full text feature. I'm converting some forum software to use the full text search and I have everything setup and working. My problems are related to full text queries. I have designed a few queries which run as desired when I test them in sql server management studio using the CONTAINS predicate to locate my search results eg:

Select ....
From ..... 
WHERE Contains(p.Message,'" dog food "' ) ......

So this runs fine but how can I parameterize this in a prepared statement? Ideally I would like to be able to run a query with a where clause like:

Select ....
From ..... 
WHERE Contains(p.Message,'" @SearchTerm "' ) ...

or even

WHERE Contains(p.Message,'"@SearchTerm" Near "@OtherSearchTerm" ) ...

But this approach doesn't work because of the double quotes and all. I could build the search term up dynamically in the code but I really need to be using parameters for all user input for security reasons. I have looked at a zillion google results trying to find a solution but can't(Surely this must happen everyone or am I missing something really obvious here and/or it's not possible ). Any Ideas?

Answer 1

This answer demonstrates a parameterized SQL Server Full-Text Search in VB.NET using the Enterprise Library 5.0; and further shows returning ten rows for each "object type" (think people, places and things).

Given the following table and full-text index:

CREATE TABLE [dbo].[SearchIndexes](
    [SearchIndexId] [int] IDENTITY(1,1) NOT NULL,
    [ObjectKey] [nvarchar](50) NOT NULL,
    [ObjectText] [nvarchar](4000) NOT NULL,
    [CreateDate] [datetime] NOT NULL,
    [ObjectTypeId] [int] NOT NULL,
 CONSTRAINT [PK_SearchIndexes] PRIMARY KEY CLUSTERED 
(
    [SearchIndexId] ASC
)WITH (PAD_INDEX  = OFF, STATISTICS_NORECOMPUTE  = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS  = ON, ALLOW_PAGE_LOCKS  = ON) ON [PRIMARY]
) ON [PRIMARY]

GO

CREATE FULLTEXT INDEX ON [dbo].[SearchIndexes](
[ObjectText] LANGUAGE [English])
KEY INDEX [PK_SearchIndexes] ON ([MyDbFullTextCatalog], FILEGROUP [PRIMARY])
WITH (CHANGE_TRACKING = AUTO, STOPLIST = SYSTEM)

Code:

Public Function FullTextSearch(text As String) As System.Collections.Generic.List(Of String)

  Const SqlFormat As String = "with RankCte as (select ObjectText, Row_number() over (Partition BY ObjectTypeId ORDER BY ObjectText ) AS RowNum FROM dbo.SearchIndexes where contains(ObjectText, @ObjectTextParameter)) SELECT ObjectText FROM RankCte where RowNum <= 10"
  Const ParameterFormat As String = """{0}*"""

  Dim db = Databases.MyDb

  Using command = db.GetSqlStringCommand(SqlFormat)
    Dim parameterValue = String.Format(Globalization.CultureInfo.InvariantCulture, ParameterFormat, text)
    'parameterValue should now be something like "search*" (includes the double quotes)

    db.AddInParameter(command, "ObjectTextParameter", DbType.String, parameterValue)

    Using reader = db.ExecuteReader(command)
      Dim results As New List(Of String)
      Do While reader.Read()
        results.Add(reader(0).ToString)
      Loop
      Return results
    End Using
  End Using
End Function

Answer 2

How about string concatenation?

WHERE Contains(p.Message, '"' + @SearchTerm + '" Near "' + @OtherSearchTerm + '"')

Answer 3

Create a stored procedure with parameters, like:

CREATE PROCEDURE [sp_FullTextSearch] 
    @SearchTerm nvarchar(500)
AS
BEGIN
    Select ....
    From ..... 
    WHERE Contains(p.Message, @SearchTerm)
END

Then call it from your code.

HOW TO: Call SQL Server Stored Procedures in ASP.NET by Using Visual C# .NET