Solved

Using several parameters with SQL IN clause

Posted on 2009-04-02
10
221 Views
Last Modified: 2012-05-06
I'm having some trouble with the syntax for using multiple parameters with an SQL IN clause.  I'm using SQL 2005 and a classic ASP front-end.

Example of strMyList value is '123456789','123456788'

This returns no hits, even though hits exist for the first value.

Any suggestions?  See my code below.  Thanks!
strSQL = 
"SELECT myfield1, myfield2 " & _		
		"FROM mydb.dbo.mytable " & _
		"WHERE "
 
If Len(strMyList) > 0 Then
     strSQL = strSQL & "(myfield1 in (' + ? + ') " & _
     "OR myfield2 in (' + ? + ') ) "
    cmd.Parameters.Append (cmd.CreateParameter("myfield1", adVarChar, adParamInput, len(strMyList), strMyList))	
    cmd.Parameters.Append (cmd.CreateParameter(myfield2", adVarChar, adParamInput, len(strMyList), strIMyList))										
End If

Open in new window

0
Comment
Question by:hennessym
  • 3
  • 3
  • 3
  • +1
10 Comments
 
LVL 28

Accepted Solution

by:
sybe earned 125 total points
ID: 24050349
Don't use command parameters for this. The value you pass as a command parameter is understood as a single value, not as a range of values.
0
 
LVL 19

Expert Comment

by:daveamour
ID: 24050378
Can you debug and see what is actually ending up in strSQL ?
0
 
LVL 1

Author Comment

by:hennessym
ID: 24050379
Any suggestions for alternatives?  I wanted to use parameters to eliminate the SQL injection vulnerability associated with our current, dynamic SQL approach.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 28

Expert Comment

by:sybe
ID: 24050387
The solution is to have your SQL simply as a string.


strSQL = "SELECT myfield1, myfield2 FROM mydb.dbo.mytable WHERE "
If Len(strMyList) > 0 Then strSQL = strSQL & "(myfield1 in ('" & strMyList & "') "

Open in new window

0
 
LVL 1

Author Comment

by:hennessym
ID: 24050401
Yes, strSQL looks like this:

SELECT myfield1, myfield2 FROM mydb.dbo.mytable WHERE (myfield1 in (' + ? + ') OR myfield2 in (' + ? + ') ) ORDER BY myfield1, myfield2
0
 
LVL 23

Expert Comment

by:apresto
ID: 24050402
I agree with sybe, however make sure you properly delimit your values for you IN clause, you dont want this:
field in ('val1, val2, val3') because it will apepar as one value, you ened it like this:
field in ('val1', 'val2', 'val3')
But you can run a replace like demonstrated below if you need to habndle for this:

strSQL = "SELECT myfield1, myfield2 FROM mydb.dbo.mytable WHERE "
 
If Len(strMyList) > 0 Then
    strSQL = strSQL & "(myfield1 in ('" & replace(strMyList, ",", "','") & "')"
	strSQL = strSQL & " OR myfield2 in ('" & replace(strMyList, ",", "','") & "') )"
End If

Open in new window

0
 
LVL 23

Expert Comment

by:apresto
ID: 24050411
You can always do a
Response.Write strSQL
to see what it looks like, its easier to debug that way
0
 
LVL 28

Expert Comment

by:sybe
ID: 24050436
> I wanted to use parameters to eliminate the SQL injection vulnerability associated with our current, dynamic SQL approach

Actually passing multiple values as a single value is the way SQL Injection works. You can not have this protection against SQL Injection AND at the same time allow your code to use SQL-injection-like principles.

Anyway, you could use the direct string SQL, but built in protection against SQL Injection yourself, for example allow only numeric values.
0
 
LVL 1

Author Comment

by:hennessym
ID: 24052704
Thanks for all the responses!

Sybe, I'm using your approach and filtering for SQL injection with this:

strMyList = replace(strMyList,";","")
strMyList = replace(strMyList," ","")
strMyList = replace(strMyList,"exec","")            
strMyList = replace(strMyList,"'","''")

I'm removing exec to account for hex-based SQL injection, similar to this: http://www.experts-exchange.com/Microsoft/Development/MS-SQL-Server/Q_23416543.html

Any thoughts?  Does that look secure to you guys?
0
 
LVL 23

Assisted Solution

by:apresto
apresto earned 125 total points
ID: 24055866
Looks good to me, this will definitely eliminate most threats from sql injection. you can get string sanitising scripts online which eliminate most threats, all you need to do is feed in the string and it will return a sanitised/safe string:
for example:
http://track.nextmill.net/KB/a71/preventing-sql-injection-attacks-in-classic-asp.aspx 
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
create insert script based on records in a table 4 24
Getting max record but maybe not use Group BY 2 32
Multiflying 2 Input Text On a Table 7 31
CREATE DATABASE 3 28
When writing XML code a very difficult part is when we like to remove all the elements or attributes from the XML that have no data. I would like to share a set of recursive MSSQL stored procedures that I have made to remove those elements from …
So every once in a while at work I am asked to export data from one table and insert it into another on a different server.  I hate doing this.  There's so many different tables and data types.  Some column data needs quoted and some doesn't.  What …
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question