tags:

views:

210

answers:

6
Q: 

SQL Server - Replacing Single Quotes and Using IN

Hello,

I am passing a comma-delimited list of values into a stored procedure. I need to execute a query to see if the ID of an entity is in the comma-delimited list. Unfortunately, I think I do not understand something.

When I execute the following stored procedure:

exec dbo.myStoredProcedure @myFilter=N'1, 2, 3, 4'

I receive the following error:

"Conversion failed when converting the varchar value '1, 2, 3, 4' to data type int."

My stored procedure is fairly basic. It looks like this:

CREATE PROCEDURE [dbo].[myStoredProcedure]
    @myFilter nvarchar(512) = NULL
AS
SET NOCOUNT ON
BEGIN
    -- Remove the quote marks so the filter will work with the "IN" statement
    SELECT @myFilter = REPLACE(@myFilter, '''', '')

    -- Execute the query
    SELECT
     t.ID,
     t.Name  
    FROM
     MyTable t
    WHERE
     t.ID IN (@myFilter)
    ORDER BY
     t.Name
END

How do I use a parameter in a SQL statement as described above? Thank you!

+3  A: 

You need to split the string and dump it into a temp table. Then you join against the temp table.

There are many examples of this, here is one at random.

http://blogs.microsoft.co.il/blogs/itai/archive/2009/02/01/t-sql-split-function.aspx

Jonathan Allen  2009-10-22 20:09:47
Alternately, you can convert the comma-delimited list into XML and pass the XML into the stored procedure as an argument. You'd still be joining against the XML, but you'd at least avoid writing a split function.
iKnowKungFoo  2009-10-22 20:21:05
@iKnowFungFoo: Using XML means eating up characters with markup rather than content - runs the risk of not being able to send all content
OMG Ponies  2009-10-22 20:32:03
@iKnowKungFoo: On top of what @rexem said, if you have many data to send, markup becomes too big and thus the query slows down.
Sung Meister  2009-10-22 20:36:29
A: 

I would create a function that takes your comma delimited string and splits it and returns a single column table variable with each value in its own row. Select that column from the returned table in your IN statement.

jlech  2009-10-22 20:11:10
A: 

I found a cute way of doing this - but it smells a bit.

declare @delimitedlist varchar(8000)
set @delimitedlist = '|1|2|33|11|3134|'

select * from mytable where @delimitedlist like '%|' + cast(id as varchar) + '|%'

So... this will return all records with an id equal to 1, 2, 33, 11, or 3134.

EDIT: I would also add that this is not vulnerable to SQL injection (whereas dynamic SQL relies on your whitelisting/blacklisting techniques to ensure it isn't vulnerable). It might have a performance hit on large sets of data, but it works and it's secure.

Mayo  2009-10-22 20:12:04
I think you would prevent SQL from using an index seek and force it to scan,
Andrew  2009-10-22 20:18:49
cast varchar as ??? should at least define more than a sigle char.
astander  2009-10-22 20:19:06
@Andrew: you're correct - it would perform miserably because it can't use an index due to using % at the start of the LIKE criteria.
OMG Ponies  2009-10-22 20:19:42
Mayo  2009-10-22 20:22:57
sql server 2005 has MAX, read about it?
astander  2009-10-22 20:24:18
no need for the snark, astander.
Peter  2009-10-22 20:27:39
Facts or snarks?
astander  2009-10-22 20:31:19
I think we are having a dog-shed moment.
Peter  2009-10-22 20:32:11
k, its fine we know the answer...
astander  2009-10-22 20:36:57
I meant, I think we are having a bike-shed moment.
Peter  2009-10-22 20:40:09
OK, then you peddle
astander  2009-10-22 20:52:11
Declaring varchar without length is a horrible habit, sorry. In some cases it will truncate to 30 characters, in others it will truncate to 1. Oh, and it won't tell you that it's truncated; nothing like silent data loss to start off your week. This isn't something to be brushed off, IMHO. Using it *never* will prevent you from using it in the wrong place without realizing it. http://is.gd/4wsl3
Aaron Bertrand  2009-10-22 21:55:19
The op also forgot to explicitly list columns and he didn't specify the table owner / schema. His nomenclature for variable/column/table names is lacking. He also should break up the statement into multiple lines for readability. I'm ashamed to share the same name.
Mayo  2009-10-23 01:48:55
+2  A: 

Absent a split function, something like this:

CREATE PROCEDURE [dbo].[myStoredProcedure]
    @myFilter varchar(512) = NULL -- don't use NVARCHAR for a list of INTs
AS
SET NOCOUNT ON
BEGIN
    SELECT
        t.ID,
        t.Name          
    FROM
        MyTable t
    WHERE
        CHARINDEX(','+CONVERT(VARCHAR,t.ID)+',',@myFilter) > 0
    ORDER BY
        t.Name
END

Performance will be poor. A table scan every time. Better to use a split function. See: http://www.sommarskog.se/arrays-in-sql.html

Peter  2009-10-22 20:21:45
+4  A: 

You could make function that takes your parameter, slipts it and returns table with all the numbers in it.

If your are working with lists or arrays in SQL Server, I recommend that you read Erland Sommarskogs wonderful stuff:

Arrays and Lists in SQL Server 2005

pirho  2009-10-22 20:32:02
A: 

I have a couple of blog posts on this as well, with a lot of interesting followup comments and dialog:

http://is.gd/4wsnn

http://is.gd/4wsp3

Aaron Bertrand  2009-10-22 21:56:59

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?