custom sql parameter using IN clause in gridview - C#

Question

When I placed the the following SQL query,

SELECT
   [ItemID], [Name], [RelDate], [Price], [Status] 
FROM 
   [item_k] 
WHERE 
   [ItemID] IN (" + itemIDs + ")

in gridview custom sql statements, it gets transformed to,

SELECT 
   ItemID, Name, RelDate, Price, Status   
FROM 
   item_k 
WHERE 
   (ItemID IN ([ + itemIDs + ]))

and when I execute the query the following error is shown

SQL Execution Error
Invalid column name '+ itemIDs+'

what seems to be the problem?

thanks

Tony Arra · Accepted Answer · 2009-05-17 15:21:14Z

1

Have you tried putting + itemIDs+ in single quotes?

answered May 17, 2009 at 15:21

Tony Arra

11.2k1 gold badge32 silver badges49 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

spender · Accepted Answer · 2009-05-17 15:21:26Z

1

The problem with your string concat method is that it would possibly leave you vulnerable to SQL injection. I wouldn't try to fix this approach, but go for a a parameterized query that doesn't require string concatenation.

answered May 17, 2009 at 15:21

spender

121k36 gold badges245 silver badges369 bronze badges

Comments

pier · Accepted Answer · 2009-05-17 16:03:40Z

0

SELECT [ItemID], [Name], [RelDate], [Price], [Status] FROM [item_k] WHERE [ItemID] IN (' + itemIDs + ')

changed " to ' and it worked!

answered May 17, 2009 at 16:03

pier

5033 gold badges14 silver badges29 bronze badges

Collectives™ on Stack Overflow

custom sql parameter using IN clause in gridview - C#

3 Answers 3

Comments

Comments

Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

3 Answers 3

Comments

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Related