Home/ Questions/Q 6806983
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T19:46:37+00:00

So I have my SqlDataSource with a SelectQuery defined as follows: SELECT * FROM

  • 0

So I have my SqlDataSource with a SelectQuery defined as follows:

 SELECT * FROM table 
 WHERE UserName IN (@EmployeesIn);

With @EmployeesIn coming from a session variable Session[“EmployeesIn”]. During Page_Load I’m taking an ArrayList members and putting the results into a string and setting the session variable:

 string employeesIn = "";
 foreach (string s in members)
 {
      employeesIn = employeesIn + "'" + s + "',";
 }

 employeesIn = employeesIn.TrimEnd(',');
 Session["EmployeesIn"] = employeesIn;

Writing the output to the console I can see the value of the parameter @EmployeesIn

 @EmployeesIn = 'bob', 'joe'

However, I’m getting zero results back … and after monitoring from the database level I see the parameter is coming in as:

'''bob'',''joe'''

Then again if I just pass in one employee, I get results back from the SQL as expected and the parameter is passed correctly as just ‘bob’. I suppose this is some safety that .NET provides against SQL injection attacks, however what’s the safe way around this?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You should absolutely use parameters for this, instead of including the values within the SQL itself. You can just generate the names for the parameters, so if you had three entries you’d generate SQL of:

    SELECT * FROM table WHERE UserName IN (@p0, @p1, @p2)

    and then fill in those three parameters from the three values. 

    // Or create the command earlier, of course
List<SqlParameter> parameters = new List<SqlParameter>();

StringBuilder inClause = new StringBuilder("(");
for (int i = 0; i < members.Count; i++)
{
    string parameterName = "@p" + i;
    inClause.Append(parameterName);
    if (i != members.Count - 1)
    {
        inClause.Append(", ");
    }
    // Adjust data type as per schema
    SqlParameter parameter = new SqlParameter(parameterName, SqlDbType.NVarChar);
    parameter.Value = members[i];
    parameters.Add(parameter);
}
inClause.Append(")");

// Now use inClause in the SQL, and parameters in the command parameters
    • 0