>Hi everyone, I could use some advice on this.
>We can define a select statement like this

>Dim SQL As String = "SELECT [tipid], [rtaid], [projectname], [location], [shortdesc], [sponsor] FROM [projects] WHERE (archived = @aFilter) ORDER BY [sponsor], [projectname]"
>Dim oCommand As New SqlCommand(SQL, oConn)
>oCommand.Parameters.AddWithValue("aFilter", somevalue)

but what do we do when we need WHERE (@acomplicatedstring) which may not involve the archived field but may or may not involve others? Is it appropriate to build the string by concatenation and not use parameters in this case? I am trying to allow the user to build a query that allows any number of variables.
>
>Thanks

You need to build your string dynamically, but still use parameters. You alternatively can have a stored procedure that will construct query dynamically where using parameters.

Erland Sommarskog has a great, albeit quite long article on this topic

http://www.sommarskog.se/dyn-search.html