Re: MSSQL "Where In" not working with variables

Dan G. Switzer, II Tue, 20 Apr 2010 11:46:14 -0700

Paul,

On Tue, Apr 20, 2010 at 2:31 PM, Paul Alkema <paulalkemadesi...@gmail.com>wrote:


>
> Eh, sorry. I've just found the solution to my own problem.
>
>
>
> Just for future reference, this is my solution.
>
>
>
> DECLARE @idList varchar(max)
>
> DECLARE @sql varchar(max)
>
> SET @idList = '1,2'
>
> SET @sql = 'SELECT * FROM table WHERE ID IN (' + @idList + ')'
>
> EXEC(@sql)
>

Just watch the context that you're using this in, because depending on how
@idList is being populated, you're definitely open to SQL injection.

Also, the I'd use the sp_executesql over the exec command:
http://www.mssqltips.com/tip.asp?tip=1160

-Dan


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know 
on the House of Fusion mailing lists
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:333046
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: MSSQL "Where In" not working with variables

Reply via email to