Pass string value to SQL query where in ('a,'b','c') in C sharp

Hi,
I have made a windows application using C sharp, where I retrieve data from SQL database table.
I'm trying to retrieve data based on a query and for the where criteria I pass the value from the form checkedbox.
So i save the value of the checkedbox selected value to string variable Temp, the value of Temp for example is  'a','b','c'
So trying to pull all inv no where is either a, b or c
I'm trying to pass this value from Temp to the SQL query in the C # code like this

sql = "select  CusNo, InvNo,amt  from TestTbl where  Invno ( in ( '"+Temp+"') )   ";

I do not get any rows returned. On the other hand If I trying giving the value directly it pulls the desired result
so when I try
sql = "select  CusNo, InvNo,amt  from TestTbl where  Invno ( in  ('a','b','c')   ";
I get the results.
I will appreciate, if somebody can tell me the correct way to pass the string variable Temp value for the OR in the where clause.
Thank you,
S
SivasanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ryan ChongCommented:
try:

sql = "select  CusNo, InvNo,amt  from TestTbl where  Invno ( in ( "+Temp+" ) )   ";

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Eric FlammSenior ConsultantCommented:
Ryan's answer has an extra set of parentheses which will cause a syntax error. Assuming your checkbox value is exactly as stated, with the single quote marks, you could use the string object's format function rather than concatenation:
sql=String.format("Select CusNo, InvNo, amt from TestTbl where InvNo in ({0})",Temp);

Open in new window

THe nice thing about this approach is you can easily add more parameters (in curly brackets) to handle various cases.
1
PortletPaulfreelancerCommented:
select  CusNo, InvNo, amt  from TestTbl where  Invno ( in  ('a','b','c')   )

Just a small note, but there is no need for 2 sets parentheses

this is sufficient:
         select  CusNo, InvNo, amt  from TestTbl where  Invno  in  ('a','b','c')
0
Ryan ChongCommented:
so...

sql = "select  CusNo, InvNo,amt  from TestTbl where  Invno in ( "+Temp+"  )   ";
0
käµfm³d 👽Commented:
Do note that using string concatenation to build SQL queries leaves your code vulnerable to SQL Injection attacks.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
C#

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.