Home/ Questions/Q 659459
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T23:02:48+00:00

I am in a situation where I am given a comma-separated VarChar as input

  • 0

I am in a situation where I am given a comma-separated VarChar as input to a stored procedure. I want to do something like this:

SELECT * FROM tblMyTable 
INNER JOIN /*Bunch of inner joins here*/ 
WHERE ItemID IN ($MyList);

However, you can’t use a VarChar with the IN statement. There are two ways to get around this problem:

  1. (The Wrong Way) Create the SQL query in a String, like so:

    SET $SQL = '
    SELECT * FROM tblMyTable
    INNER JOIN /*Bunch of inner joins here*/
    WHERE ItemID IN (' + $MyList + ');

    EXEC($SQL);

  2. (The Right Way) Create a temporary table that contains the values of $MyList, then join that table in the initial query.

My question is:

Option 2 has a relatively large performance hit with creating a temporary table, which is less than ideal.

While Option 1 is open to an SQL injection attack, since my SPROC is being called from an authenticated source, does it really matter? Only trusted sources will execute this SPROC, so if they choose to bugger up the database, that is their prerogative.

So, how far would you go to make your code secure?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    What database are you using? in SQL Server you can create a split function that can split a long string and return a table sub-second. you use the table function call like a regular table in a query (no temp table necessary)

    You need to create a split function, or if you have one just use it. This is how a split function can be used:

    SELECT
    *
    FROM YourTable                               y
    INNER JOIN dbo.yourSplitFunction(@Parameter) s ON y.ID=s.Value

    I prefer the number table approach to split a string in TSQL but there are numerous ways to split strings in SQL Server, see the previous link, which explains the PROs and CONs of each.

    For the Numbers Table method to work, you need to do this one time table setup, which will create a table Numbers that contains rows from 1 to 10,000:

    SELECT TOP 10000 IDENTITY(int,1,1) AS Number
    INTO Numbers
    FROM sys.objects s1
    CROSS JOIN sys.objects s2
ALTER TABLE Numbers ADD CONSTRAINT PK_Numbers PRIMARY KEY CLUSTERED (Number)

    Once the Numbers table is set up, create this split function:

    CREATE FUNCTION [dbo].[FN_ListToTable]
(
     @SplitOn  char(1)      --REQUIRED, the character to split the @List string on
    ,@List     varchar(8000)--REQUIRED, the list to split apart
)
RETURNS TABLE
AS
RETURN 
(

    ----------------
    --SINGLE QUERY-- --this will not return empty rows
    ----------------
    SELECT
        ListValue
        FROM (SELECT
                  LTRIM(RTRIM(SUBSTRING(List2, number+1, CHARINDEX(@SplitOn, List2, number+1)-number - 1))) AS ListValue
                  FROM (
                           SELECT @SplitOn + @List + @SplitOn AS List2
                       ) AS dt
                      INNER JOIN Numbers n ON n.Number < LEN(dt.List2)
                  WHERE SUBSTRING(List2, number, 1) = @SplitOn
             ) dt2
        WHERE ListValue IS NOT NULL AND ListValue!=''

);
GO

    You can now easily split a CSV string into a table and join on it:

    select * from dbo.FN_ListToTable(',','1,2,3,,,4,5,6777,,,')

    OUTPUT:

    ListValue
-----------------------
1
2
3
4
5
6777

(6 row(s) affected)

    Your can use the CSV string like this, not temp table necessary:

    SELECT * FROM tblMyTable 
INNER JOIN /*Bunch of inner joins here*/ 
WHERE ItemID IN (select ListValue from dbo.FN_ListToTable(',',$MyList));
    • 0