custom sql parameter using IN clause in gridview - C#

Question

Hi,

When I placed the the following SQL query,

SELECT
   [ItemID], [Name], [RelDate], [Price], [Status] 
FROM 
   [item_k] 
WHERE 
   [ItemID] IN (" + itemIDs + ")

in gridview custom sql statements, it gets transformed to,

SELECT 
   ItemID, Name, RelDate, Price, Status   
FROM 
   item_k 
WHERE 
   (ItemID IN ([ + itemIDs + ]))

and when I execute the query the following error is shown

SQL Execution Error
Invalid column name '+ itemIDs+'

what seems to be the problem?

thanks

Answer 1

Have you tried putting + itemIDs+ in single quotes?

Answer 2

The problem with your string concat method is that it would possibly leave you vulnerable to SQL injection. I wouldn't try to fix this approach, but go for a a parameterized query that doesn't require string concatenation.

Answer 3

SELECT [ItemID], [Name], [RelDate], [Price], [Status] FROM [item_k] WHERE [ItemID] IN (' + itemIDs + ')

changed " to ' and it worked!