tags:

views:

91

answers:

4
+2  Q: 

SQL In Clause with Zero to Many Parameters

I have a SQL query which is parameterized by a very limited in-house framework. The query looks like this:

Select * from somewhere
where name IN (:parameter);

The code will inject zero to many strings into the location specified by :parameter. The ":parameter" flag can only be used within the "IN" clause (so it can't be moved after the where clause to conditionally insert the 'name IN') section.

Sometimes the user will set parameter to:

'dog', 'cat'

Other times, the user will not put any values into the :parameter variable. This causes a problem since the resulting SQL query will be:

Select * from somewhere
where name IN ();

My code can catch the case where parameter is empty, but I need something which I can inject into the IN statement which is guaranteed to NEVER match an actual string.

Is there any SQL regular expression which I could inject which would NEVER match any string? Something like %.% or something....

Thanks!

A: 

I don't think you can guarantee that you will never match a existing string. The best thing that you could do is handle the case in which the statement doesn't work on the database; however, without knowing how the script is being executed I can't figure out much more from there.

msarchet  2010-09-14 14:20:35
+9  A: 

You can say:

where name in (null)

This will never match, since nothing is equal to null (not even null itself.)

Andomar  2010-09-14 14:21:34
Good answer, but why `null` does not match `null`?
fastcodejava  2010-09-15 10:03:14
@fastcodejava: "comparisons with Null can never result in either True or False, but always in a third logical result, Unknown" http://en.wikipedia.org/wiki/Null_(SQL) So `null = null` results in `unknown`, and the `where` clause only matches on `true`.
Andomar  2010-09-15 11:24:23
+4  A: 

nullshould not match with anything.

gpeche  2010-09-14 14:22:03
A: 

Name cannot be null, so you can do empty string?

fastcodejava  2010-09-14 14:23:10

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL