Solved

SQL Server - passing a string paramether to a Stored Proc

Posted on 2009-07-11
3
277 Views
Last Modified: 2012-05-07
I pass a string as a parameter to a stored procedure that should get results but does not..  My SP looks like this

ALTER PROCEDURE [dbo].[spMySP]
      
@items nvarchar(50)
      
AS

SELECT    dayofWeek, anotherItem
  FROM table1

where cast(month(dayofWeek) as nvarchar(20)) in (@items)

END

I get no results regardless of what I pass as a parameter.  For example if i pass '1,2,3' as a parameter, i get nothing.  What the heck have i done wrong?
0
Comment
Question by:BoggyBayouBoy
3 Comments
 
LVL 60

Assisted Solution

by:chapmandew
chapmandew earned 150 total points
ID: 24830332
you'll need to do something like this....since it is a list of values, you'll need to use dynamic sql.  you can also use a function to split the values into a table...i'll show you the easier of the two:

declare @x nvarchar(2000)
set @x = 'SELECT    dayofWeek, anotherItem
  FROM table1 where cast(month(dayofWeek) as nvarchar(20)) in (' + @items + ')'

execute sp_executesql @x
0
 
LVL 29

Accepted Solution

by:
Göran Andersson earned 350 total points
ID: 24830489
The string that you are using in the in clause is not considered to be a list of value, but just a single string.

in( '1,2,3' ) is not the same as in( '1', '2', '3' )

You can split the string into values and put in a temporary table, then join against the table to get the result.

As parsing the string verifies it's contents, it keeps the procedure from being wide open for SQL injection attacks.

alter procedure spMySP
   @items nvarchar(50)
as
 
declare @t table(m int)
declare @pos int
 
while (len(@items) > 0) begin
   set @pos = charindex(',', @items)
   if (@pos = 0) set @pos = len(@items) + 1
   insert into @t values (cast(substring(@items, 0, @pos) as int))
   set @items = substring(@items, @pos + 1, 1000)
end
 
select t1.dayOfWeek, t1.anotheritem
from table1 t1
inner join @t t on month(t1.dayOfWeek) = t.m

Open in new window

0
 
LVL 1

Author Closing Comment

by:BoggyBayouBoy
ID: 31602413
Thanks !  Very nice solutions.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction: When running hybrid database environments, you often need to query some data from a remote db of any type, while being connected to your MS SQL Server database. Problems start when you try to combine that with some "user input" pass…
In SQL Server, when rows are selected from a table, does it retrieve data in the order in which it is inserted?  Many believe this is the case. Let us try to examine for ourselves with an example. To get started, use the following script, wh…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question