ansaurus

Question

Answer 1

+2 A:

You can use WHERE MachineID IN ('Machine1', 'Machine2', 'Machine3', ... 'MachineN')

Then in your loop you would just add the 1..n machines. The IN clause works with 1 element or n elements, so it should be fine.

However, I'd look at using a stored procedure to do it rather than hardcoding the SQL into your application.

dcp 2010-04-16 21:58:37

this is potentially vulnerable to a SQL injection, since you're no longer using a parameterized query (at least, I've never seen a parameterized query interface that allows parameterizing the "in" clause)

rmeador 2010-04-16 22:03:57

@meador - I agree 100%, that's why I made the recommendation to use a stored procedure.

dcp 2010-04-16 22:14:43

what is SQL injection...??

2010-04-16 22:24:11

SQL injection: http://en.wikipedia.org/wiki/SQL_injection

a programmer 2010-04-16 23:49:36

Answer 2

+1 A:

Ideally you are trying to arrive at a solution similar to creating "MachineID in (1, 2, 3, 4)" dynamically.

Option 1

There are many ways to complete this task from passing in a comma separated string into the stored proc and dynamically build the sql string and then calling "EXEC sp_executesql @sql" http://stackoverflow.com/questions/182060/sql-where-in-array-of-ids

Option 2

You can pass in a string of comma separated values and then parse out the values into their own temp-table and then join on to it http://vyaskn.tripod.com/passing_arrays_to_stored_procedures.htm

Option 3 - my choice

You can now pass in the array of values using XML and then select the array items easily. http://support.microsoft.com/kb/555266

.

Glennular 2010-04-16 22:03:04

i dont kno why i cannot give u a +ve vote... it says vote too old..

2010-04-19 16:56:10

@user175084 try it now, i edited it.

Glennular 2010-04-19 18:41:54

Answer 3

+2 A:

Build a real table and load the machine ids into it.

Then your sql would be

where MachineID in ( select MachineID from userMachine where userID = x)

When you are done, remove all rows for the userID.

delete from userMachine where userID = x.

sparkkkey 2010-04-16 22:03:56

Answer 4

+1 A:

If you are going to do this via dynamic SQL, you need to build a call to the IN function. (e.g. In(id1, id2, id3...)

private string GetSql( IList<int> machineIds )
{
    var sql = new StringBuilder( "SELECT FileID FROM Files Where MachineID In(" );
    for( var i = 0; i < machineIds.Count; i++ )
    {
        if ( i > 0 )
            sql.Append(", ")
        sql.Append("@MachineId{0}", i);
    }

    sql.Append(" ) ");

    //additional parameters to query
    sql.AppendLine(" And Col1 = @Col1" );
    sql.AppendLine(" And Col2 = @Col2 ");
    ...

    return sql.ToString();
}

private DataTable GetData( IList<int> machineIds, string col1, int col2... )
{
    var dt = new DataTable();
    var sql = GetSql( machineIds );
    using ( var conn = new SqlConnection() )
    {
        conn.ConnectionString = ConfigurationManager.ConnectionStrings["DBConnectionString"].ConnectionString;
        using ( var cmd = new SqlCommand( sql, conn ) )
        {
            conn.Open();

            for( var i = 0; i < machineIds.Count; i++ )
            {
                var parameterName = string.Format("@MachineId{0}", i );
                cmd.Parameters.AddWithValue( parameterName, machineIds[i] );
            }

            cmd.Parameters.AddWithValue( "@Col1", col1 ); 
            cmd.Parameters.AddWithValue( "@Col2", col2 ); 
            ...

            using ( var da = new SqlDataAdapter( cmd ) )
            {
                da.Fill( dt );
            }
        }
    }

    return dt;
}

Thomas 2010-04-16 22:06:39

ok i think i understood your code but have not implemented it,, but what do for the other search items.. simply append them as u did for "," and "machineID"???

2010-04-16 22:34:46

@user175084 - If by "other search items" you mean other columns in the query, you would build those into your Select statement just like you did when you had `MachineId = @MachineId`. So, "...And Col1 = @Col1 And Col2 = @Col2...". If by "other" you mean other machine ids, you pass a list into the function of Ids you want returned.

Thomas 2010-04-16 22:41:06

@user175084 - I have edited my response to show how you might pass additional columns into the query. You need to append parameters to your SQL statement for each of those additional values you wish to drop into the query and then add SqlParameters for each one.

Thomas 2010-04-16 22:46:09

ok things look good let me try this and hope it works... thanks man

2010-04-16 22:52:51

i tried a lot of stuff but im getting this errorMust declare the scalar variable "@MachineId"

2010-04-21 18:58:46

@user175084 - You shouldn't have a parameter called @MachineId. They should all be named @MachineId0, @MachineId1, @MachineId2 etc.

Thomas 2010-04-21 19:16:12

Answer 5

+1 A:

I would also recommend using a stored procedure because otherwise you will leave yourself open to an sql injection attack - especially where you are building up a string based on user input.

Something like:

a' or 1=1; --do bad things

You can use sp_executesql in sql to run a sql statement that is built up with a where clause like @dcp suggests and although it wouldn't optimize well it is probably a quick command to run anyway.

Sql Injection attacks by example

EDIT

One way to achieve this would be using charindex, this example demonstrates how a stored procedure could be run when passed a space separated list of ids:

declare @machine table (machineId int, machineName varchar(20))
declare @files table (fileId int, machineId int)

insert into @machine (machineId, machineName) values (1, 'machine')
insert into @machine (machineId, machineName) values (2, 'machine 2.0')
insert into @machine (machineId, machineName) values (3, 'third machine')
insert into @machine (machineId, machineName) values (4, 'machine goes forth')
insert into @machine (machineId, machineName) values (5, 'machine V')

insert into @files (fileId, machineId) values (1, 3)
insert into @files (fileId, machineId) values (2, 3)
insert into @files (fileId, machineId) values (3, 2)
insert into @files (fileId, machineId) values (4, 1)
insert into @files (fileId, machineId) values (5, 3)
insert into @files (fileId, machineId) values (6, 5)

declare @machineText1 varchar(100)
declare @machineText2 varchar(100)
declare @machineText3 varchar(100)

set @machineText1 = '1 3 4'
set @machineText2 = '1'
set @machineText3 = '5 6'

select * from @files where charindex(rtrim(machineId),@machineText1,1) > 0
-- returns files 1,2,4 and 5

select * from @files where charindex(rtrim(machineId),@machineText2,1) > 0
-- returns file 4

select * from @files where charindex(rtrim(machineId),@machineText3,1) > 0
--returns file 6

So you can create this stored procedure to achieve your aim:

create procedure FilesForMachines (@machineIds varchar(1000)) 
as 
select * from [Files] where charindex(rtrim(machineId),@machineIds,1) > 0

The charindex tip is from BugSplat

amelvin 2010-04-16 22:09:25

that was helpful.... thanks

2010-04-16 22:31:16

No worries, good luck with your task.

amelvin 2010-04-16 23:24:11

Answer 6

+1 A:

Normally when I want to create a "search" type query, I use optional parameters. This allows me to send something or nothing to the parameter, making the query go from vague to very specific.

Example:

SELECT
  COL1,
  COL2,
  COL3
FROM TABLE
WHERE (@COL1 IS NULL OR @COL1 = '' OR @COL1 = COL1)

As you'll notice above, if you pass in NULL or BLANK it won't add the parameter to the query. If you do enter a value, then it'll be used in the comparison.

Zachary 2010-04-16 23:32:08

ansaurus

tags:

views:

answers:

build SQL query string using user input

related questions