Solved

Using several parameters with SQL IN clause

Posted on 2009-04-02
10
222 Views
Last Modified: 2012-05-06
I'm having some trouble with the syntax for using multiple parameters with an SQL IN clause.  I'm using SQL 2005 and a classic ASP front-end.

Example of strMyList value is '123456789','123456788'

This returns no hits, even though hits exist for the first value.

Any suggestions?  See my code below.  Thanks!
strSQL = 
"SELECT myfield1, myfield2 " & _		
		"FROM mydb.dbo.mytable " & _
		"WHERE "
 
If Len(strMyList) > 0 Then
     strSQL = strSQL & "(myfield1 in (' + ? + ') " & _
     "OR myfield2 in (' + ? + ') ) "
    cmd.Parameters.Append (cmd.CreateParameter("myfield1", adVarChar, adParamInput, len(strMyList), strMyList))	
    cmd.Parameters.Append (cmd.CreateParameter(myfield2", adVarChar, adParamInput, len(strMyList), strIMyList))										
End If

Open in new window

0
Comment
Question by:hennessym
  • 3
  • 3
  • 3
  • +1
10 Comments
 
LVL 28

Accepted Solution

by:
sybe earned 125 total points
ID: 24050349
Don't use command parameters for this. The value you pass as a command parameter is understood as a single value, not as a range of values.
0
 
LVL 19

Expert Comment

by:daveamour
ID: 24050378
Can you debug and see what is actually ending up in strSQL ?
0
 
LVL 1

Author Comment

by:hennessym
ID: 24050379
Any suggestions for alternatives?  I wanted to use parameters to eliminate the SQL injection vulnerability associated with our current, dynamic SQL approach.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 28

Expert Comment

by:sybe
ID: 24050387
The solution is to have your SQL simply as a string.


strSQL = "SELECT myfield1, myfield2 FROM mydb.dbo.mytable WHERE "
If Len(strMyList) > 0 Then strSQL = strSQL & "(myfield1 in ('" & strMyList & "') "

Open in new window

0
 
LVL 1

Author Comment

by:hennessym
ID: 24050401
Yes, strSQL looks like this:

SELECT myfield1, myfield2 FROM mydb.dbo.mytable WHERE (myfield1 in (' + ? + ') OR myfield2 in (' + ? + ') ) ORDER BY myfield1, myfield2
0
 
LVL 23

Expert Comment

by:apresto
ID: 24050402
I agree with sybe, however make sure you properly delimit your values for you IN clause, you dont want this:
field in ('val1, val2, val3') because it will apepar as one value, you ened it like this:
field in ('val1', 'val2', 'val3')
But you can run a replace like demonstrated below if you need to habndle for this:

strSQL = "SELECT myfield1, myfield2 FROM mydb.dbo.mytable WHERE "
 
If Len(strMyList) > 0 Then
    strSQL = strSQL & "(myfield1 in ('" & replace(strMyList, ",", "','") & "')"
	strSQL = strSQL & " OR myfield2 in ('" & replace(strMyList, ",", "','") & "') )"
End If

Open in new window

0
 
LVL 23

Expert Comment

by:apresto
ID: 24050411
You can always do a
Response.Write strSQL
to see what it looks like, its easier to debug that way
0
 
LVL 28

Expert Comment

by:sybe
ID: 24050436
> I wanted to use parameters to eliminate the SQL injection vulnerability associated with our current, dynamic SQL approach

Actually passing multiple values as a single value is the way SQL Injection works. You can not have this protection against SQL Injection AND at the same time allow your code to use SQL-injection-like principles.

Anyway, you could use the direct string SQL, but built in protection against SQL Injection yourself, for example allow only numeric values.
0
 
LVL 1

Author Comment

by:hennessym
ID: 24052704
Thanks for all the responses!

Sybe, I'm using your approach and filtering for SQL injection with this:

strMyList = replace(strMyList,";","")
strMyList = replace(strMyList," ","")
strMyList = replace(strMyList,"exec","")            
strMyList = replace(strMyList,"'","''")

I'm removing exec to account for hex-based SQL injection, similar to this: http://www.experts-exchange.com/Microsoft/Development/MS-SQL-Server/Q_23416543.html

Any thoughts?  Does that look secure to you guys?
0
 
LVL 23

Assisted Solution

by:apresto
apresto earned 125 total points
ID: 24055866
Looks good to me, this will definitely eliminate most threats from sql injection. you can get string sanitising scripts online which eliminate most threats, all you need to do is feed in the string and it will return a sanitised/safe string:
for example:
http://track.nextmill.net/KB/a71/preventing-sql-injection-attacks-in-classic-asp.aspx 
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Obtaining data on ASP 8 35
Executing a script on a timer online 5 32
Time comparison asp 1 20
How can I find this data? 3 23
I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
In this article we will get to know that how can we recover deleted data if it happens accidently. We really can recover deleted rows if we know the time when data is deleted by using the transaction log.
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question