• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 240
  • Last Modified:

Using several parameters with SQL IN clause

I'm having some trouble with the syntax for using multiple parameters with an SQL IN clause.  I'm using SQL 2005 and a classic ASP front-end.

Example of strMyList value is '123456789','123456788'

This returns no hits, even though hits exist for the first value.

Any suggestions?  See my code below.  Thanks!
strSQL = 
"SELECT myfield1, myfield2 " & _		
		"FROM mydb.dbo.mytable " & _
		"WHERE "
 
If Len(strMyList) > 0 Then
     strSQL = strSQL & "(myfield1 in (' + ? + ') " & _
     "OR myfield2 in (' + ? + ') ) "
    cmd.Parameters.Append (cmd.CreateParameter("myfield1", adVarChar, adParamInput, len(strMyList), strMyList))	
    cmd.Parameters.Append (cmd.CreateParameter(myfield2", adVarChar, adParamInput, len(strMyList), strIMyList))										
End If

Open in new window

0
hennessym
Asked:
hennessym
  • 3
  • 3
  • 3
  • +1
2 Solutions
 
sybeCommented:
Don't use command parameters for this. The value you pass as a command parameter is understood as a single value, not as a range of values.
0
 
daveamourCommented:
Can you debug and see what is actually ending up in strSQL ?
0
 
hennessymAuthor Commented:
Any suggestions for alternatives?  I wanted to use parameters to eliminate the SQL injection vulnerability associated with our current, dynamic SQL approach.
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

 
sybeCommented:
The solution is to have your SQL simply as a string.


strSQL = "SELECT myfield1, myfield2 FROM mydb.dbo.mytable WHERE "
If Len(strMyList) > 0 Then strSQL = strSQL & "(myfield1 in ('" & strMyList & "') "

Open in new window

0
 
hennessymAuthor Commented:
Yes, strSQL looks like this:

SELECT myfield1, myfield2 FROM mydb.dbo.mytable WHERE (myfield1 in (' + ? + ') OR myfield2 in (' + ? + ') ) ORDER BY myfield1, myfield2
0
 
aprestoCommented:
I agree with sybe, however make sure you properly delimit your values for you IN clause, you dont want this:
field in ('val1, val2, val3') because it will apepar as one value, you ened it like this:
field in ('val1', 'val2', 'val3')
But you can run a replace like demonstrated below if you need to habndle for this:

strSQL = "SELECT myfield1, myfield2 FROM mydb.dbo.mytable WHERE "
 
If Len(strMyList) > 0 Then
    strSQL = strSQL & "(myfield1 in ('" & replace(strMyList, ",", "','") & "')"
	strSQL = strSQL & " OR myfield2 in ('" & replace(strMyList, ",", "','") & "') )"
End If

Open in new window

0
 
aprestoCommented:
You can always do a
Response.Write strSQL
to see what it looks like, its easier to debug that way
0
 
sybeCommented:
> I wanted to use parameters to eliminate the SQL injection vulnerability associated with our current, dynamic SQL approach

Actually passing multiple values as a single value is the way SQL Injection works. You can not have this protection against SQL Injection AND at the same time allow your code to use SQL-injection-like principles.

Anyway, you could use the direct string SQL, but built in protection against SQL Injection yourself, for example allow only numeric values.
0
 
hennessymAuthor Commented:
Thanks for all the responses!

Sybe, I'm using your approach and filtering for SQL injection with this:

strMyList = replace(strMyList,";","")
strMyList = replace(strMyList," ","")
strMyList = replace(strMyList,"exec","")            
strMyList = replace(strMyList,"'","''")

I'm removing exec to account for hex-based SQL injection, similar to this: http://www.experts-exchange.com/Microsoft/Development/MS-SQL-Server/Q_23416543.html

Any thoughts?  Does that look secure to you guys?
0
 
aprestoCommented:
Looks good to me, this will definitely eliminate most threats from sql injection. you can get string sanitising scripts online which eliminate most threats, all you need to do is feed in the string and it will return a sanitised/safe string:
for example:
http://track.nextmill.net/KB/a71/preventing-sql-injection-attacks-in-classic-asp.aspx 
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

  • 3
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now