Solved

Using several parameters with SQL IN clause

Posted on 2009-04-02
10
229 Views
Last Modified: 2012-05-06
I'm having some trouble with the syntax for using multiple parameters with an SQL IN clause.  I'm using SQL 2005 and a classic ASP front-end.

Example of strMyList value is '123456789','123456788'

This returns no hits, even though hits exist for the first value.

Any suggestions?  See my code below.  Thanks!
strSQL = 
"SELECT myfield1, myfield2 " & _		
		"FROM mydb.dbo.mytable " & _
		"WHERE "
 
If Len(strMyList) > 0 Then
     strSQL = strSQL & "(myfield1 in (' + ? + ') " & _
     "OR myfield2 in (' + ? + ') ) "
    cmd.Parameters.Append (cmd.CreateParameter("myfield1", adVarChar, adParamInput, len(strMyList), strMyList))	
    cmd.Parameters.Append (cmd.CreateParameter(myfield2", adVarChar, adParamInput, len(strMyList), strIMyList))										
End If

Open in new window

0
Comment
Question by:hennessym
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
  • +1
10 Comments
 
LVL 28

Accepted Solution

by:
sybe earned 125 total points
ID: 24050349
Don't use command parameters for this. The value you pass as a command parameter is understood as a single value, not as a range of values.
0
 
LVL 19

Expert Comment

by:daveamour
ID: 24050378
Can you debug and see what is actually ending up in strSQL ?
0
 
LVL 1

Author Comment

by:hennessym
ID: 24050379
Any suggestions for alternatives?  I wanted to use parameters to eliminate the SQL injection vulnerability associated with our current, dynamic SQL approach.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 28

Expert Comment

by:sybe
ID: 24050387
The solution is to have your SQL simply as a string.


strSQL = "SELECT myfield1, myfield2 FROM mydb.dbo.mytable WHERE "
If Len(strMyList) > 0 Then strSQL = strSQL & "(myfield1 in ('" & strMyList & "') "

Open in new window

0
 
LVL 1

Author Comment

by:hennessym
ID: 24050401
Yes, strSQL looks like this:

SELECT myfield1, myfield2 FROM mydb.dbo.mytable WHERE (myfield1 in (' + ? + ') OR myfield2 in (' + ? + ') ) ORDER BY myfield1, myfield2
0
 
LVL 23

Expert Comment

by:apresto
ID: 24050402
I agree with sybe, however make sure you properly delimit your values for you IN clause, you dont want this:
field in ('val1, val2, val3') because it will apepar as one value, you ened it like this:
field in ('val1', 'val2', 'val3')
But you can run a replace like demonstrated below if you need to habndle for this:

strSQL = "SELECT myfield1, myfield2 FROM mydb.dbo.mytable WHERE "
 
If Len(strMyList) > 0 Then
    strSQL = strSQL & "(myfield1 in ('" & replace(strMyList, ",", "','") & "')"
	strSQL = strSQL & " OR myfield2 in ('" & replace(strMyList, ",", "','") & "') )"
End If

Open in new window

0
 
LVL 23

Expert Comment

by:apresto
ID: 24050411
You can always do a
Response.Write strSQL
to see what it looks like, its easier to debug that way
0
 
LVL 28

Expert Comment

by:sybe
ID: 24050436
> I wanted to use parameters to eliminate the SQL injection vulnerability associated with our current, dynamic SQL approach

Actually passing multiple values as a single value is the way SQL Injection works. You can not have this protection against SQL Injection AND at the same time allow your code to use SQL-injection-like principles.

Anyway, you could use the direct string SQL, but built in protection against SQL Injection yourself, for example allow only numeric values.
0
 
LVL 1

Author Comment

by:hennessym
ID: 24052704
Thanks for all the responses!

Sybe, I'm using your approach and filtering for SQL injection with this:

strMyList = replace(strMyList,";","")
strMyList = replace(strMyList," ","")
strMyList = replace(strMyList,"exec","")            
strMyList = replace(strMyList,"'","''")

I'm removing exec to account for hex-based SQL injection, similar to this: http://www.experts-exchange.com/Microsoft/Development/MS-SQL-Server/Q_23416543.html

Any thoughts?  Does that look secure to you guys?
0
 
LVL 23

Assisted Solution

by:apresto
apresto earned 125 total points
ID: 24055866
Looks good to me, this will definitely eliminate most threats from sql injection. you can get string sanitising scripts online which eliminate most threats, all you need to do is feed in the string and it will return a sanitised/safe string:
for example:
http://track.nextmill.net/KB/a71/preventing-sql-injection-attacks-in-classic-asp.aspx 
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So every once in a while at work I am asked to export data from one table and insert it into another on a different server.  I hate doing this.  There's so many different tables and data types.  Some column data needs quoted and some doesn't.  What …
In this article I will describe the Backup & Restore method as one possible migration process and I will add the extra tasks needed for an upgrade when and where is applied so it will cover all.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question