Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Using several parameters with SQL IN clause

Posted on 2009-04-02
10
Medium Priority
?
237 Views
Last Modified: 2012-05-06
I'm having some trouble with the syntax for using multiple parameters with an SQL IN clause.  I'm using SQL 2005 and a classic ASP front-end.

Example of strMyList value is '123456789','123456788'

This returns no hits, even though hits exist for the first value.

Any suggestions?  See my code below.  Thanks!
strSQL = 
"SELECT myfield1, myfield2 " & _		
		"FROM mydb.dbo.mytable " & _
		"WHERE "
 
If Len(strMyList) > 0 Then
     strSQL = strSQL & "(myfield1 in (' + ? + ') " & _
     "OR myfield2 in (' + ? + ') ) "
    cmd.Parameters.Append (cmd.CreateParameter("myfield1", adVarChar, adParamInput, len(strMyList), strMyList))	
    cmd.Parameters.Append (cmd.CreateParameter(myfield2", adVarChar, adParamInput, len(strMyList), strIMyList))										
End If

Open in new window

0
Comment
Question by:hennessym
  • 3
  • 3
  • 3
  • +1
10 Comments
 
LVL 28

Accepted Solution

by:
sybe earned 500 total points
ID: 24050349
Don't use command parameters for this. The value you pass as a command parameter is understood as a single value, not as a range of values.
0
 
LVL 19

Expert Comment

by:daveamour
ID: 24050378
Can you debug and see what is actually ending up in strSQL ?
0
 
LVL 1

Author Comment

by:hennessym
ID: 24050379
Any suggestions for alternatives?  I wanted to use parameters to eliminate the SQL injection vulnerability associated with our current, dynamic SQL approach.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 28

Expert Comment

by:sybe
ID: 24050387
The solution is to have your SQL simply as a string.


strSQL = "SELECT myfield1, myfield2 FROM mydb.dbo.mytable WHERE "
If Len(strMyList) > 0 Then strSQL = strSQL & "(myfield1 in ('" & strMyList & "') "

Open in new window

0
 
LVL 1

Author Comment

by:hennessym
ID: 24050401
Yes, strSQL looks like this:

SELECT myfield1, myfield2 FROM mydb.dbo.mytable WHERE (myfield1 in (' + ? + ') OR myfield2 in (' + ? + ') ) ORDER BY myfield1, myfield2
0
 
LVL 23

Expert Comment

by:apresto
ID: 24050402
I agree with sybe, however make sure you properly delimit your values for you IN clause, you dont want this:
field in ('val1, val2, val3') because it will apepar as one value, you ened it like this:
field in ('val1', 'val2', 'val3')
But you can run a replace like demonstrated below if you need to habndle for this:

strSQL = "SELECT myfield1, myfield2 FROM mydb.dbo.mytable WHERE "
 
If Len(strMyList) > 0 Then
    strSQL = strSQL & "(myfield1 in ('" & replace(strMyList, ",", "','") & "')"
	strSQL = strSQL & " OR myfield2 in ('" & replace(strMyList, ",", "','") & "') )"
End If

Open in new window

0
 
LVL 23

Expert Comment

by:apresto
ID: 24050411
You can always do a
Response.Write strSQL
to see what it looks like, its easier to debug that way
0
 
LVL 28

Expert Comment

by:sybe
ID: 24050436
> I wanted to use parameters to eliminate the SQL injection vulnerability associated with our current, dynamic SQL approach

Actually passing multiple values as a single value is the way SQL Injection works. You can not have this protection against SQL Injection AND at the same time allow your code to use SQL-injection-like principles.

Anyway, you could use the direct string SQL, but built in protection against SQL Injection yourself, for example allow only numeric values.
0
 
LVL 1

Author Comment

by:hennessym
ID: 24052704
Thanks for all the responses!

Sybe, I'm using your approach and filtering for SQL injection with this:

strMyList = replace(strMyList,";","")
strMyList = replace(strMyList," ","")
strMyList = replace(strMyList,"exec","")            
strMyList = replace(strMyList,"'","''")

I'm removing exec to account for hex-based SQL injection, similar to this: http://www.experts-exchange.com/Microsoft/Development/MS-SQL-Server/Q_23416543.html

Any thoughts?  Does that look secure to you guys?
0
 
LVL 23

Assisted Solution

by:apresto
apresto earned 500 total points
ID: 24055866
Looks good to me, this will definitely eliminate most threats from sql injection. you can get string sanitising scripts online which eliminate most threats, all you need to do is feed in the string and it will return a sanitised/safe string:
for example:
http://track.nextmill.net/KB/a71/preventing-sql-injection-attacks-in-classic-asp.aspx 
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever needed to get an ASP script to wait for a while? I have, just to let something else happen. Or in my case, to allow other stuff to happen while I was murdering my MySQL database with an update. The Original Issue This was written…
Introduction: When running hybrid database environments, you often need to query some data from a remote db of any type, while being connected to your MS SQL Server database. Problems start when you try to combine that with some "user input" pass…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Screencast - Getting to Know the Pipeline

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question