-1

I want to select all from the table 'products' where city IN (Varberg,Falkenberg) and if I use the below it works, but if I have the cities in a variable I can´t get it to work? I'm using a mySql database.

sql = "SELECT * FROM products where city in ('Varberg','Falkenberg')" 
set rs = conn.Execute (sql)

So if I use this, it is not working.

cities=request.querystring(cities)

so that the variable becomes like this

cities="Varberg,Falkenberg"

sql = "SELECT * FROM products WHERE city IN ('"& cities &"')" 
set rs = conn.Execute (sql)
Improve this question
3
  • 3
    which dbms are you using? Commented Jan 2, 2019 at 15:37
  • 1
    Tag the programming language also Commented Jan 2, 2019 at 15:40
  • How many times is this question going to be asked, there are numerous duplicates already. Commented Jan 2, 2019 at 21:26

2 Answers 2

Reset to default
1

The query you generate misses two quotes. The generate query is 

SELECT * FROM products where city in ('Varberg,Falkenberg')

and not

SELECT * FROM products where city in ('Varberg','Falkenberg')

BTW: Never use parameters provided by the user without validation and proper sanitization.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

The SQL statement created with your variable will be

SELECT * FROM products WHERE city IN ('Varberg,Falkenberg')

which is different than the one you're looking for:

SELECT * FROM products where city in ('Varberg','Falkenberg')

You need to adjust your code logic to generate the correct list for your variable. Your variable holds a single value list because of the missing single quotes. You need to add the quotes so the variable holds a multi-value list.

PS - your code is also wide open to SQL injection. You should be using a parameterized query.

Improve this answer

5 Comments

Thanks sqluillman, how would a parameterized query look like? I will try to change the logic as you say, thanks.
@ClaesGustavsson It depends on what language you're using. Looks like VB.net. Have a look here: stackoverflow.com/questions/542510/…
Its old asp classic.
Ok. Here's a link using classic asp. stackoverflow.com/questions/7654446/…
Ok, thanks, will check it out later.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.