How to use LIKE in a t-sql dynamic statement in a stored procedure?

Question

I\'m trying to use the LIKE keyword with the % wildcards wrapping the parameter, but I\'m not sure how to get the % characters into the statement without breaking it. Right

Answer 1

The % characters have to be in the search string...

SET @search = '%' + @search + '%'
SET @SQLQuery = 'SELECT * FROM [tblApps] WHERE [firstName] LIKE @search'

Note that the following would also work, but introduces potential for a SQL injection vulnerability...

-- DON'T do this!
SET @SQLQuery = 'SELECT * FROM [tblApps] WHERE [firstName] LIKE ''%' + @search + '%'''