Solved

Using several parameters with SQL IN clause

Posted on 2009-04-02
10
218 Views
Last Modified: 2012-05-06
I'm having some trouble with the syntax for using multiple parameters with an SQL IN clause.  I'm using SQL 2005 and a classic ASP front-end.

Example of strMyList value is '123456789','123456788'

This returns no hits, even though hits exist for the first value.

Any suggestions?  See my code below.  Thanks!
strSQL = 

"SELECT myfield1, myfield2 " & _		

		"FROM mydb.dbo.mytable " & _

		"WHERE "
 

If Len(strMyList) > 0 Then

     strSQL = strSQL & "(myfield1 in (' + ? + ') " & _

     "OR myfield2 in (' + ? + ') ) "

    cmd.Parameters.Append (cmd.CreateParameter("myfield1", adVarChar, adParamInput, len(strMyList), strMyList))	

    cmd.Parameters.Append (cmd.CreateParameter(myfield2", adVarChar, adParamInput, len(strMyList), strIMyList))										

End If

Open in new window

0
Comment
Question by:hennessym
  • 3
  • 3
  • 3
  • +1
10 Comments
 
LVL 28

Accepted Solution

by:
sybe earned 125 total points
ID: 24050349
Don't use command parameters for this. The value you pass as a command parameter is understood as a single value, not as a range of values.
0
 
LVL 19

Expert Comment

by:daveamour
ID: 24050378
Can you debug and see what is actually ending up in strSQL ?
0
 
LVL 1

Author Comment

by:hennessym
ID: 24050379
Any suggestions for alternatives?  I wanted to use parameters to eliminate the SQL injection vulnerability associated with our current, dynamic SQL approach.
0
 
LVL 28

Expert Comment

by:sybe
ID: 24050387
The solution is to have your SQL simply as a string.


strSQL = "SELECT myfield1, myfield2 FROM mydb.dbo.mytable WHERE "

If Len(strMyList) > 0 Then strSQL = strSQL & "(myfield1 in ('" & strMyList & "') "

Open in new window

0
 
LVL 1

Author Comment

by:hennessym
ID: 24050401
Yes, strSQL looks like this:

SELECT myfield1, myfield2 FROM mydb.dbo.mytable WHERE (myfield1 in (' + ? + ') OR myfield2 in (' + ? + ') ) ORDER BY myfield1, myfield2
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 23

Expert Comment

by:apresto
ID: 24050402
I agree with sybe, however make sure you properly delimit your values for you IN clause, you dont want this:
field in ('val1, val2, val3') because it will apepar as one value, you ened it like this:
field in ('val1', 'val2', 'val3')
But you can run a replace like demonstrated below if you need to habndle for this:

strSQL = "SELECT myfield1, myfield2 FROM mydb.dbo.mytable WHERE "

 

If Len(strMyList) > 0 Then

    strSQL = strSQL & "(myfield1 in ('" & replace(strMyList, ",", "','") & "')"

	strSQL = strSQL & " OR myfield2 in ('" & replace(strMyList, ",", "','") & "') )"

End If

Open in new window

0
 
LVL 23

Expert Comment

by:apresto
ID: 24050411
You can always do a
Response.Write strSQL
to see what it looks like, its easier to debug that way
0
 
LVL 28

Expert Comment

by:sybe
ID: 24050436
> I wanted to use parameters to eliminate the SQL injection vulnerability associated with our current, dynamic SQL approach

Actually passing multiple values as a single value is the way SQL Injection works. You can not have this protection against SQL Injection AND at the same time allow your code to use SQL-injection-like principles.

Anyway, you could use the direct string SQL, but built in protection against SQL Injection yourself, for example allow only numeric values.
0
 
LVL 1

Author Comment

by:hennessym
ID: 24052704
Thanks for all the responses!

Sybe, I'm using your approach and filtering for SQL injection with this:

strMyList = replace(strMyList,";","")
strMyList = replace(strMyList," ","")
strMyList = replace(strMyList,"exec","")            
strMyList = replace(strMyList,"'","''")

I'm removing exec to account for hex-based SQL injection, similar to this: http://www.experts-exchange.com/Microsoft/Development/MS-SQL-Server/Q_23416543.html

Any thoughts?  Does that look secure to you guys?
0
 
LVL 23

Assisted Solution

by:apresto
apresto earned 125 total points
ID: 24055866
Looks good to me, this will definitely eliminate most threats from sql injection. you can get string sanitising scripts online which eliminate most threats, all you need to do is feed in the string and it will return a sanitised/safe string:
for example:
http://track.nextmill.net/KB/a71/preventing-sql-injection-attacks-in-classic-asp.aspx 
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SQl Agent job fails--SSIS package looses password 6 45
SQL Agent Timeout 5 47
Unable to save view in SSMS 21 57
SQL Query with Sum and Detail rows 2 40
So every once in a while at work I am asked to export data from one table and insert it into another on a different server.  I hate doing this.  There's so many different tables and data types.  Some column data needs quoted and some doesn't.  What …
This article explains how to reset the password of the sa account on a Microsoft SQL Server.  The steps in this article work in SQL 2005, 2008, 2008 R2, 2012, 2014 and 2016.
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now