Re: SQL Parameters using the IN keyword

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Miha Markic [MVP C#] (miha)
Date: 11/11/04 

Date: Thu, 11 Nov 2004 10:10:04 +0100

Hi Ben,

Yep, this is a chronic problem with databases.
The easiest way is to create sql statement dynamically.
Beware of sql injection possibility - you have to check parameters!
Another solution is to pass a string with Id separated with a char or
something and do the processing on the server.
This is more tedious but you don't have problem with sql injection if done
properly. 

-- 
Miha Markic [MVP C#] - RightHand .NET consulting & development
SLODUG - Slovene Developer Users Group
www.rthand.com
"Ben" <bent@pronamics.com.au> wrote in message 
news:a33741da.0411102229.378dc0c8@posting.google.com...
> Hey,
>
> Not sure if this is the right group to post this on, so sorry in
> advance if it isn't.
>
> I'm using the VS.NET 2005 beta, and am trying to fill one grid, based
> on what is selected in the other grid.  So, in the SelectionChanged
> event, I get the IDs of the selected rows in the first grid, and..
> this is where i get stuck :)
>
> This is my statement:
>
> SELECT     (SELECT Products.Name FROM Products WHERE Products.ID =
> Summary.Product) AS Product, SUM(Owned) AS Owned, SUM(Maintained) AS
> Maintained, SUM(Unlocked) AS Unlocked,
>                      SUM(Vouchers) AS Vouchers
> FROM         dbo.Summary
> WHERE Summary.Office IN (SELECT Office.ID FROM Office WHERE
> Office.Company IN ( @Parameter))
> GROUP BY Product
> ORDER BY Product
>
> What I would like to be able to do, is replace @Parameter, with
> several comma seperated Guid values. However, no matter what I do, if
> i try to add a parameter, it gets interpreted as one value, and thus
> has some difficulty interpretting something two Guids seperated by a
> comma.
>
> Is there a way around this? Or do i have to manually code the this to
> use an actual SQL statement rather than trying to use parameters?
>
> Any help would be most appreciated, and I hope I've included enough
> detail.
>
> Thanks!
>
> Ben

Relevant Pages

  • Re: SQL Injection
    ... parameters by embedding strings directly I believe the framework (dbExpress, etc.) will actually prevent SQL injection. ... SQL injection occurs when someone types in characters via a front-end that change a SQL statement so that it executes something unintended. ...
    (borland.public.delphi.non-technical)
  • Re: Win32 Needs
    ... Chris Morgan wrote: ... with SQL injection. ... use pre-prepared parameterised queries for that. ... Can you provide an example where you get a different SQL statement by using a "special" string value? ...
    (borland.public.delphi.non-technical)
  • Select - SQL vs. SUM
    ... I have a grid whose recordsource is a table named _payments. ... With the SQL statement when I change the value in ThisPmt column for the ... first time and hit Enter key, the value in txtUnused is updated and the focus ...
    (microsoft.public.fox.programmer.exchange)
  • Re: Format of available fields
    ... syntax for referencing it would be ... the tables included in the query of that name - literally MyTable_LastName. ... SQL statement they were not there. ... query grid), it has no criteria, and ...
    (microsoft.public.access.forms)
  • Re: SQL Statement to Combine Like Items and Sum Quantities
    ... What I need to do is to actually modify the data ... Bring the required fields in the grid. ... Keep the proposed GROUP BY, ... And I want to write a SQL statement to change the records to look like: ...
    (microsoft.public.access.queries)