ansaurus

Question

Answer 1

A:

Its more like:

create  proc [dbo].[GetRequestsItems](@RequestIds as varchar(8000)) as
exec('select ri.id, ri.RequestID, ri.Namefrom RequestItems ri with(nolock)
where RequestID in ('+@RequestIds+')')

and then you pass in a string of ids like: "3, 47, 10, 9"

JBrooks 2009-08-01 01:00:41

And get all the wonders of SQL injection.

Pavel Minaev 2009-08-01 01:13:46

I don't think you are going to have an input box where the user types in a bunch of ids. My example came from a list that the user could check the checkboxes of the rows they wanted, I then generate the list of IDs based on that. Then bring back the child rows. No opportunity for sql injection there.

JBrooks 2009-08-01 01:31:45

Answer 2

A:

Arrays and Lists in SQL Server 2005 by Erland Sommarskog. The reference article on the subject, with all alternatives deeply covered and discussed. The SO duplicate actually fails to mention this one, which is a shame.

As of 2008 there is also the table valued parameter option.

Remus Rusanu 2009-08-01 01:14:08

Answer 3

A:

I've found it useful to use stored procedures with the array of values passed in as XML:

<languages>
   <id>2001</id>
   <id>2023</id>
   <id>2076</id>
</languages>


CREATE PROCEDURE [dbo].[GetStringsFromLanguageIds]
@languageIds xml
AS
BEGIN

SELECT StringID
FROM TRANSLATIONTB
JOIN @languageIds.nodes('languages/id') R(languages)
ON LanguageID = languages.value('.','int')

END

James Conigliaro 2009-08-01 01:24:10

@James: just curious. Your choice either way, but did you read the part about how this question is likely to be closed as a duplicate?

John Saunders 2009-08-01 01:25:29

ansaurus

tags:

views:

answers:

SQL SELECT Arrays in C#?

related questions