- CATALOG -
Using Variables with SQL LIKE for Flexible Querying: Dynamic SQL Techniques to the Rescue
folder [sql variables]  

Using SQL “Like” with a Variable

Introduction

In this article, we will explore the use of variables in SQL LIKE clauses. We will examine why static strings do not work well when used with dynamic conditions and discuss how to effectively utilize variables for flexible querying.

Understanding SQL LIKE

The SQL LIKE operator is used to search for a specified pattern in columns of text data types. It returns one or more rows that match the specified pattern.

SELECT * FROM table_name WHERE column_name LIKE 'pattern';

In the case of a percentage sign (%) preceding or following a literal string, SQL LIKE performs wildcard matching:

  • % matches any number of characters.
  • _ is a literal character (i.e., no match when used before a literal character).

The OR operator is not typically applied between multiple LIKE conditions directly.

Why Dynamic SQL is Needed

When using variables in SQL queries, especially with LIKE, you often need to construct the query dynamically. However, static strings do not always work as expected because they are not dynamic and do not easily accommodate changes based on user input or other dynamic parameters.

For example, consider a scenario where we want to search for text containing ‘fishing’, ‘seaside’, and ‘docks’. We can’t simply use the following code:

SELECT * 
FROM constituency 
WHERE book_text LIKE '%fishing%' OR book_text LIKE '%seaside%' AND book_text LIKE '%docks%'

This is because SQL does not directly support the OR operator between multiple LIKE conditions in this way. We will need to use dynamic SQL instead.

Using Dynamic SQL for Variable Conditions

Dynamic SQL allows us to create and execute SQL commands at runtime, using variables or parameters that are defined elsewhere. It can be powerful but also more complex and error-prone than static queries.

Declare Variables

In SQL Server (and other versions of the T-SQL dialect), you declare your variables before they’re used:

DECLARE @search VARCHAR(MAX)

You define the size as MAX because we’ll need to accommodate longer strings when setting our variable.

SET @search = '''%fishing%'' OR book_text LIKE ''%seaside%'' AND book_text LIKE  ''%docks%''

This sets the string that will be used in our dynamic SQL command. Note the double quotes (") around the LIKE patterns, which are necessary for SQL Server to interpret them correctly.

Constructing Dynamic Query

The next step is constructing a dynamic SQL query:

DECLARE @query_str VARCHAR(MAX)
SELECT @query_str = 'SELECT * FROM constituency WHERE book_text LIKE ' + @search;

This constructs a new string that contains the SQL command to search for our condition. The + operator concatenates strings in T-SQL.

Executing Dynamic Query

Finally, we execute our constructed query:

EXEC(@query_str);

Note that when using dynamic SQL with parameters (like variables), you should use parameterized queries instead of string concatenation to avoid security risks and potential issues with SQL injection attacks. However, for simplicity and because the LIKE patterns do not pose an immediate risk here, we’ll stick with a concatenated approach for this explanation.

Using Dynamic SQL with Variable Conditions

Now that we’ve seen how to construct our dynamic query using variable conditions, let’s dive into an example:

-- Step 1: Declare variables
DECLARE @search VARCHAR(MAX)
SET @search = '''%fishing%'' OR book_text LIKE ''%seaside%'' AND book_text LIKE  ''%docks%''

-- Step 2: Construct dynamic query
DECLARE @query_str VARCHAR(MAX)
SELECT @query_str = 'SELECT * FROM constituency WHERE book_text LIKE ' + @search;

-- Step 3: Execute the dynamic query
BEGIN
    EXEC(@query_str);
END;

When run, this code will execute a SQL command that searches for rows in constituency where book_text includes both “fishing”, “seaside”, and “docks”.

Alternative Approach with Parameterized Query

While the above approach illustrates how to use dynamic SQL effectively, it’s also worth noting parameterized queries as an alternative:

DECLARE @search VARCHAR(MAX)
SET @search = '''%fishing%'' OR book_text LIKE ''%seaside%'' AND book_text LIKE  ''%docks%''

DECLARE @query_str NVARCHAR(MAX) = N'SELECT * FROM constituency WHERE book_text LIKE @search';
EXEC sp_executesql @query_str, N'@search VARCHAR(MAX)', @search=@search;

In this approach, we use sp_executesql to execute our dynamic query while still maintaining parameter safety. This is generally recommended over concatenating strings directly into the SQL command.

Conclusion

Using variables with SQL LIKE requires careful consideration of how you construct your queries and manage potential security risks. By leveraging dynamic SQL techniques and understanding how parameters can be used, you can create flexible querying solutions that accommodate various user inputs or dynamic conditions.

Dynamic SQL is a powerful tool in SQL programming, capable of generating complex commands on the fly based on predefined parameters. Its flexibility makes it an ideal choice for scenarios involving variable data or user-defined queries.

However, to avoid security issues, it’s crucial to learn about parameterized queries and their benefits over string concatenation when working with dynamic conditions.

Always strive for parameterized queries in real-world applications to ensure the security and integrity of your database operations.

Last modified on 2024-11-30

Algorithm Building Made Easy
Hugo Theme Diary by Rise
Ported from Makito's Journal.

© 2025 Algorithm Building Made Easy
- CATALOG -