Integer List parameters in a SqlDataSource

Posted on 2007-10-14
Medium Priority
Last Modified: 2013-11-07
In ASP.NET 2.0, how do I use a SQLDataSource select parameter that is formatted as an integer list that I want to use in a SQL 'IN' statement?

Example code:
<asp:SqlDataSource ID="dsFiles" runat="server" ProviderName="System.Data.SqlClient"
    ConnectionString="<%$ ConnectionStrings:database %>"
                    SelectCommand="select * from Files
                    where fileId in (@fileIds)" >
        <asp:Parameter Name="fileIds" DefaultValue="1,2,3" />

This statement will execute, but will return with no records even though files 1, 2 and 3 exist.  Any advice?
Question by:TimDg
  • 3
  • 3
LVL 14

Expert Comment

by:Jai S
ID: 20076074
its becos 1,2,3 is taken as an integer value and a single quote is probably added '1,2,3' which becomes a single string
can you change your query like
string.format("select * from Files
                    where fileId in ({0})
                    order by srcId","1,2,3") without those select parameters...
LVL 14

Expert Comment

by:Jai S
ID: 20076079
or something like this...

"select * from Files where fileId in (" + strDefaultvalue + ")"

Author Comment

ID: 20076081
I need to use a select parameter for security restraints (SQL injection prevention).

I figured that the param was being converted to '1,2,3' when passed to the database.  I also tried changing the param type to Int32, and expected an error when it tried to convert "1,2,3" to an int, but it came out with the same zero record result (no error).
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 14

Expert Comment

by:Jai S
ID: 20076104
hits may sound absurd...but you can give it a try
change your @fields in the quiery to replace(@fields,'''','')

Author Comment

ID: 20076212
It was worth a try, but no success.

Actually, I was wrong on my errors.  I was executing the statement with an empty parameter, and was getting an empty record set.  With a correctly populated parameter, I get "Conversion failed when converting the nvarchar value '1,2,3' to data type int." from SQL Server with an untyped parameter, and "Input string was not in correct format" if I type the parameter as Int32.

Author Comment

ID: 20080594
Actually solved this after thinking about it overnight.

I programmatically modified the SQL and SelectParameters to add a parameters for each id in the string, rather than try to send all Ids in one parameter.

The following snippet worked:
string[] fileIds = fileCSVList.Split({ ',' }, 999);
dsFiles.SelectCommand = "select * from files where fileId in (";
for (int i = 0; i < fileIds.Length; i++)
  if (i > 0)
    dsFiles.SelectCommand += ",";
  dsFiles.SelectParameters.Add(i.ToString(), fileIds[i]);
  dsFiles.SelectCommand += "@" + i.ToString();
dsFiles.SelectCommand += ") order by fileId";

Accepted Solution

Computer101 earned 0 total points
ID: 20294999
PAQed with points refunded (125)

EE Admin

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Update (December 2011): Since this article was published, the things have changed for good for Android native developers. The Sequoyah Project (http://www.eclipse.org/sequoyah/) automates most of the tasks discussed in this article. You can even fin…
A long time ago (May 2011), I have written an article showing you how to create a DLL using Visual Studio 2005 to be hosted in SQL Server 2005. That was valid at that time and it is still valid if you are still using these versions. You can still re…
THe viewer will learn how to use NetBeans IDE 8.0 for Windows to perform CRUD operations on a MySql database.
The viewer will learn how to synchronize PHP projects with a remote server in NetBeans IDE 8.0 for Windows.
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question