I have a search form that needs to query another system’s SQL Server 2005

Question

0

Asked: May 30, 20262026-05-30T23:50:05+00:00 2026-05-30T23:50:05+00:00

I have a search form that needs to query another system’s SQL Server 2005

0

I have a search form that needs to query another system’s SQL Server 2005 database (so I have no control over their stored procedures/functions).

Generally to prevent injection, my code would look something like this:

SqlCommand cmd = new SqlCommand("SELECT * FROM myTable WHERE Id = @Id", conn);
cmd.Parameters.AddWithValue("@Id", 1234);

This scenario is a little different, in that they are requesting that the form allows for a comma separated list of values to work as well. So how would I do something like this:

string ids = "1234, 1235, 1236";
SqlCommand cmd = new SqlCommand("SELECT * FROM myTable WHERE Id IN (" + ids + ")", conn);

In a secure way, with one query?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-30T23:50:07+00:00

This was the best solution I could come up with; if anyone sees any vulnerabilities please let me know:

string idList = "1234, 1235, 1236";

XElement ids = new XElement("ds");
foreach (string s in idList.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries).Select(id => id.Trim()))
    ids.Add(new XElement("d", s));

SqlCommand cmd = new SqlCommand("SELECT * FROM myTable WHERE Id IN (SELECT T.ids.value('.', 'int') FROM @Ids.nodes('/ds/d') AS T(ids))", conn);
cmd.Parameters.Add(new SqlParameter("@Ids", ids.ToString(SaveOptions.DisableFormatting)) { SqlDbType = SqlDbType.Xml });

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have a search form that needs to query another system’s SQL Server 2005

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply