sp_executesql with 'IN' statement
Posted
by user300992
on Stack Overflow
See other posts from Stack Overflow
or by user300992
Published on 2010-04-08T13:53:11Z
Indexed on
2010/04/08
14:13 UTC
Read the original article
Hit count: 233
I am trying to use sp_executesql to prevent SQL injection in SQL 2005, I have a simple query like this:
SELECT * from table WHERE RegionCode in ('X101', 'B202')
However, when I use sp_executesql to execute the following, it doesn't return anything.
Set @Cmd = N'SELECT * FROM table WHERE RegionCode in (@P1)'
SET @ParamDefinition = N'@P1 varchar(100)';
DECLARE @Code as nvarchar(100);
SET @Code = 'X101,B202'
EXECUTE sp_executesql @Cmd, @ParamDefinition, @P1 = @Code
The is what I have tested:
SET @Code = 'X101' <-- This works, it returns a single region
SET @Code = 'X101,B202' <--- Returns nothing
SET @Code = '''X101'',''B202''' <-- Returns nothing
Please help.... what did I do wrong?
© Stack Overflow or respective owner