Quote:
I will paramitrized query later.
No. No, you won't. Because it will be "working" and you will move on to other things. And as a result, your code will always be vulnerable to SQL Injection. Fix it first, then move on to doing what you are trying to do.
And ... if you fix your filter problem without parameterizing the query, it's even less likely that you will get round to changing it!
In fact, you can fix both problems at the same time.
What you need to do is: create a StringBuilder to hold the query as you assemble it, and a List<SqlParameter> to hold the parameter values. Add an integer, and preset it to 1.
Write a method, that returns an integer, and accepts an int, a StringBuilder, your list, and two strings: one called Condition, and one called Parameter
In the method, check Parameter - if it's empty or whitespace, return the integer unchanged.
Otherwise, add the condition string to the StringBuilder, plus a '@' and the integer value. Increment the integer. Create an SQLParameter, give it the same name as you just added to the StringBuilder, and set it's value to the Parameter. Add it to the list, and return the new integer value.
Now you just call that for each possible search term, and when you are done, set the SQL command and its parameters.
It's a lot quicker to code than to write out in English!