No, it is correct that the parameters remain in the command text.
This is because what is actually passed to the server is something like the below:
exec sp_executesql N'SELECT Comment FROM Comments WHERE UserId = @ID_USER AND Comment like ''% + @SEARCH %''',
N'@ID_USER int,@SEARCH nvarchar(max)',
@ID_USER=1,
@SEARCH=N'some search text';
So your parameters remain in place even when it is passed to the server. This is why you can still see them in your command text.
As an aside your query will not work as expected, in this line:
AND Comment like '% @SEARCH %'
You are looking for where Comment actually contains "@Search" rather than the value assigned to the parameter. What you need is:
AND Comment like '%' + @SEARCH + '%'
Another, slightly unrelated point is that there is no need to, nor is it useful to reuse SqlConnections. Define a new one for each connection. .NET is smart enough to reuse connections by pooling them, don't reinvent the wheel. Also use using
blocks to ensure your disposable class are disposed of:
So I would make your whole reader block as follows:
string sql = "SELECT Comment FROM Comments WHERE UserID = @ID_USER AND Comment LIKE '%' + @Search + '%'";
using (var connection = new SqlConnection(YourConnectionString))
using (var command = new SqlCommand(sql, connection))
{
command.Parameters.AddWithValue("@ID_USER", user.ProviderUserKey.ToString());
command.Parameters.AddWithValue("@SEARCH", searchData.ToString());
connection.Open();
using (var reader = command.ExecuteReader())
{
while (reader.Read())
{
searchResults.Add(rd.GetString(0));
}
}
}