Select records from an MS SQL 2K table using value list parameter

I'm contructing a stored proc like the following:

CREATE PROCEDURE Select_Widgets
    @WidgetsList varChar(20)
    AS
    Select * From Table1
    Where WidgetID In(@WidgetsList )

but am getting the following error from sql server 2k when running through the debugger: 'Syntax error converting the varchar value '2,5' to a column of data type int'.  The target field is an int, so I'm passing a comma delimited list of int values without quotes around each value.
LloydMcAsked:
Who is Participating?
 
SjoerdVerweijCommented:
Ehm... how about

Create Procedure Select_Widgets
  @WidgetList VarChar(255)
As
Begin

  Declare @TWidget Table(ID Int)

  Declare @P Int

  While (@P > 0)
    Begin
      Set @P = CharIndex(',', @WidgetList)
      If (@P <= 0)
        Insert Into @TWidget(ID) Values(Cast(@WidgetList As Int))
      Else
        Begin
          Insert Into @TWidget(ID) Values(Cast(Left(@WidgetList, @P-1) As Int))
          Set @WidgetList = SubString(@WidgetList, @P + 1, 255)
        End
    End
 
  Select * From Table1 Where WidgetID In (Select ID From @TWidget)

End
Go

No dynamic SQL needed.
0
 
jdlambert1Commented:
Don't know if there's a better way, but this works:

CREATE PROCEDURE Select_Widgets
    @WidgetsList varChar(20)
AS

DECLARE @sql nvarchar(888)

SET @sql = 'Select * From Table1 Where WidgetID In ( ' + @WidgetsList + ') '

EXEC sp_executesql @sql
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
jdlambert1: I agree, this is 'the' solution, no better choices availlable ...
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
arbertCommented:
Have to agree with SjoerdVerweij here.  Looks overly complicated, but you don't have the penalty of Dynamic SQL and you don't have to worry about the security implications of dynamic sql...
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
If security is an issue, last solution is best. If it is not, first solution is more fexible, since you can use a subselect as argument (and this is indeed the security break ...).
0
 
SjoerdVerweijCommented:
Call the first version like so:

Select_Widgets '0);select user --'

It's called a SQL injection attack.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.