hennessym
asked on
Using several parameters with SQL IN clause
I'm having some trouble with the syntax for using multiple parameters with an SQL IN clause. I'm using SQL 2005 and a classic ASP front-end.
Example of strMyList value is '123456789','123456788'
This returns no hits, even though hits exist for the first value.
Any suggestions? See my code below. Thanks!
Example of strMyList value is '123456789','123456788'
This returns no hits, even though hits exist for the first value.
Any suggestions? See my code below. Thanks!
strSQL =
"SELECT myfield1, myfield2 " & _
"FROM mydb.dbo.mytable " & _
"WHERE "
If Len(strMyList) > 0 Then
strSQL = strSQL & "(myfield1 in (' + ? + ') " & _
"OR myfield2 in (' + ? + ') ) "
cmd.Parameters.Append (cmd.CreateParameter("myfield1", adVarChar, adParamInput, len(strMyList), strMyList))
cmd.Parameters.Append (cmd.CreateParameter(myfield2", adVarChar, adParamInput, len(strMyList), strIMyList))
End If
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Can you debug and see what is actually ending up in strSQL ?
ASKER
Any suggestions for alternatives? I wanted to use parameters to eliminate the SQL injection vulnerability associated with our current, dynamic SQL approach.
The solution is to have your SQL simply as a string.
strSQL = "SELECT myfield1, myfield2 FROM mydb.dbo.mytable WHERE "
If Len(strMyList) > 0 Then strSQL = strSQL & "(myfield1 in ('" & strMyList & "') "
ASKER
Yes, strSQL looks like this:
SELECT myfield1, myfield2 FROM mydb.dbo.mytable WHERE (myfield1 in (' + ? + ') OR myfield2 in (' + ? + ') ) ORDER BY myfield1, myfield2
SELECT myfield1, myfield2 FROM mydb.dbo.mytable WHERE (myfield1 in (' + ? + ') OR myfield2 in (' + ? + ') ) ORDER BY myfield1, myfield2
I agree with sybe, however make sure you properly delimit your values for you IN clause, you dont want this:
field in ('val1, val2, val3') because it will apepar as one value, you ened it like this:
field in ('val1', 'val2', 'val3')
But you can run a replace like demonstrated below if you need to habndle for this:
field in ('val1, val2, val3') because it will apepar as one value, you ened it like this:
field in ('val1', 'val2', 'val3')
But you can run a replace like demonstrated below if you need to habndle for this:
strSQL = "SELECT myfield1, myfield2 FROM mydb.dbo.mytable WHERE "
If Len(strMyList) > 0 Then
strSQL = strSQL & "(myfield1 in ('" & replace(strMyList, ",", "','") & "')"
strSQL = strSQL & " OR myfield2 in ('" & replace(strMyList, ",", "','") & "') )"
End If
You can always do a
Response.Write strSQL
to see what it looks like, its easier to debug that way
Response.Write strSQL
to see what it looks like, its easier to debug that way
> I wanted to use parameters to eliminate the SQL injection vulnerability associated with our current, dynamic SQL approach
Actually passing multiple values as a single value is the way SQL Injection works. You can not have this protection against SQL Injection AND at the same time allow your code to use SQL-injection-like principles.
Anyway, you could use the direct string SQL, but built in protection against SQL Injection yourself, for example allow only numeric values.
Actually passing multiple values as a single value is the way SQL Injection works. You can not have this protection against SQL Injection AND at the same time allow your code to use SQL-injection-like principles.
Anyway, you could use the direct string SQL, but built in protection against SQL Injection yourself, for example allow only numeric values.
ASKER
Thanks for all the responses!
Sybe, I'm using your approach and filtering for SQL injection with this:
strMyList = replace(strMyList,";","")
strMyList = replace(strMyList," ","")
strMyList = replace(strMyList,"exec"," ")
strMyList = replace(strMyList,"'","''" )
I'm removing exec to account for hex-based SQL injection, similar to this: https://www.experts-exchange.com/questions/23416543/Decode-Hex-after-SQL-Injection-attack.html
Any thoughts? Does that look secure to you guys?
Sybe, I'm using your approach and filtering for SQL injection with this:
strMyList = replace(strMyList,";","")
strMyList = replace(strMyList," ","")
strMyList = replace(strMyList,"exec","
strMyList = replace(strMyList,"'","''"
I'm removing exec to account for hex-based SQL injection, similar to this: https://www.experts-exchange.com/questions/23416543/Decode-Hex-after-SQL-Injection-attack.html
Any thoughts? Does that look secure to you guys?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.