Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Append parameter for SQL in() statement

Status
Not open for further replies.
BillLumbergh

BillLumbergh

Programmer
Aug 15, 2001
51
US
We've got a VB6 application that hits a MS SQL Server 2000 DB. We use command object to append query parameters. What I cannot figure out is how to use the command object paremeter append method when dealing with a SQL in() function. How do you use parameter.append when referring to a SQL in() value as follows:

strSQL = "select * from my_table where add_user_id = ? and type_id in (?)"

Set cnn = CreateObject("ADODB.Connection")
Set cmd = CreateObject("ADODB.Command")
Set objRS = CreateObject("ADODB.Recordset")

With cmd
.CommandText = strSQL
.CommandType = adCmdText
.Parameters.Append .CreateParameter("add_user_id", adVarChar, adParamInput, 30, "BillLumbergh")
.Parameters.Append .CreateParameter("type_id", adInteger, adParamInput, , "1,2,3")

Set objRS = .Execute
End With

Can it even be done, or do you have to break the "in()" out and say "=? or =? or =?"?

Thanks.
 
Sort by date Sort by votes
Is there any reason why you wish to parameterise a simple statement like that.

Surely it would be much easier to simply set up the complete strSQL in the first place. I.e.:

Code: 
strSQL = "select * from my_table where add_user_id = 'BillLumbergh' and type_id in (1,2,3)"

Set cnn = CreateObject("ADODB.Connection")
Set cmd = CreateObject("ADODB.Command")
Set objRS = CreateObject("ADODB.Recordset")

With cmd
    .CommandText = strSQL
    .CommandType = adCmdText

    Set objRS = .Execute
End With
 
Upvote 0 Downvote
This is the big limitation of command parameters -- you cannot use them with an IN clause. You have to concatenate your SQL together, which leaves you open to a SQL injection attack, as well as problems with apostrophes, etc. :-(

Chip H.


____________________________________________________________________
Click here to learn Ways to help with Tsunami Relief
If you want to get the best response to a question, please read FAQ222-2244 first
 
Upvote 0 Downvote
neilharris:

I am doing it for the reasons specified by chiph.

chiph:

That's what I was thinking, it cannot be done.

Thanks.
 
Upvote 0 Downvote
why not use a stored procedure instead?
Pass the "in list" as one parameter

e.g.
CREATE PROCEDURE sp_MyProcedure (@MyCommaDelimitedString Varchar(255))
AS
BEGIN
EXEC ('SELECT * FROM MYTABLE
WHERE MYFIELD IN (' + @MyCommaDelimitedString + ')')
END
GO

Regards

Frederico Fonseca
SysSoft Integrated Ltd
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

sal21
  • Locked
  • Question
for strongm site down?
Replies
3
Views
317
strongm
strongm
sal21
  • Locked
  • Question
NOT FOR ME, get value from table web
Replies
1
Views
225
sal21
sal21
Swi
  • Locked
  • Question
Parsing Names in multiple formats
Replies
5
Views
609
SaltyTheFrog
SaltyTheFrog
2009luca
  • Question
put value in web dropdown
Replies
0
Views
131
2009luca
2009luca
Ken01
  • Locked
  • Question
Problem with CopyMemory statement
Replies
1
Views
325
strongm
strongm

Part and Inventory Search

Sponsor

Back
Top